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A  U.S.  Joint  Forces  Command 
Solution  to  Coalition  Interoperability 


Support  to  coalition  oper¬ 
ations  in  the  future  is  an 
information  assurance  chal¬ 
lenge  today.  Since  1994,  little 
has  changed  in  the  methods 
and  mechanisms  we  use  to  pro¬ 
vide  information  to  our  allied 
partners.  As  each  coalition  op¬ 
eration  (Haiti,  Somalia,  Bosnia, 
Kosovo)  comes  and  goes,  the 
lessons  learned  statements  al¬ 
ways  cry  for  improved  interop¬ 
erability  within  the  coalition. 
The  requirements  are  well  doc¬ 
umented  throughout  the  De¬ 
partment  of  Defense  (DoD). 
Even  Joint  Vision  2010,  the 
DoD  road  map  for  the  future, 
states,  “It  is  not  enough  to  be 
joint  when  conducting  future 
operations.  We  must  find  the 
most  effective  methods  for  in¬ 
tegrating  and  improving  inter¬ 
operability  with  allied  and 
coalition  partners.”  True  inter¬ 
operability  with  our  allied  part¬ 
ners  will  come  only  after  we 
have  an  information  exchange 


"Successful  completion  of  the  CMHP  pro¬ 
ject  will  require  careful  transition  from  risk 
avoidance  to  risk  management  in  the  way 
classified  information  is  managed  and  safe¬ 
guarded." 

Admiral  Harold  Geham 
Commander  in  Chief, 

United  States  Joint  Forces  Command 


system  designed  from  the 
ground  up  for  use  by  coalition 
forces. 

Colonel  Dennis  Treece’s  arti¬ 
cle  in  the  Spring  1999 
IAnewsletter  was  right  on  target 
in  describing  the  shortcomings 
and  challenges  of  releasing  and 
disseminating  classified  mili¬ 
tary  information  to  our  multi¬ 
national  partners  in  a  coalition 
environment.  As  Colonel 
Treece  says,  the  “really  hard 
part,  the  ‘Achilles  heel’  of  coali¬ 
tion  information  sharing,  is  the 
mechanism  by  which  any  na¬ 
tion  transfers  information  out¬ 
side  its  own  system.”  Because 
of  valid  security  policy  restric¬ 
tions,  we  are  not  allowed  to 
connect  our  Defense  networks 
to  multinational  networks, 
thus  creating  the  need  for 
“sneaker  nets”— literally,  run¬ 
ning  the  releasable  informa¬ 
tion  from  the  U.S.  side,  across 
an  air  gap,  to  the  multinational 
side.  Anyone  who  has  experi¬ 
enced  the  pain  of  this  method 
knows  its  difficulties  and  limi¬ 
tations.  (In  1994,  those  of  us  in 
U.S.  Atlantic  Command  had 
our  turn  when  we  provided  in¬ 
formation  support  to  the  29 
countries  involved  in  Haiti 
peace  operations.) 


I  Mr.  Craig  Vroom 
I  Mr.  Allan  H.  McClure 

U.S.  Joint  Forces  Command 
(USJFCOM,  formerly,  U.S.  At¬ 
lantic  Command)  is  responsible 
within  DoD  for  joint  task  force 
(JTF)  interoperability.  At  Joint 
Forces  Command,  we  have  em¬ 
barked  on  building  a  system  for 
secure  information  exchange.  It 
is  called  the  Coalition  Multi¬ 
level  Security  (MLS)  Hexagon 
Prototype  or  CMHP.  The  CMHP 
is  composed  of  six  functions 
that  will  allow  us  to  exchange 
information  with  our  allies  in  a 
secure,  flexible  manner. 

Side  1  of  the  Hexagon  (Fig¬ 
ure  1  on  page  4) ,  Marking  Stan¬ 
dards,  uses  the  classification 
and  control  marking  standards 
adopted  by  the  U.S.  intelli¬ 
gence  community.  These  stan¬ 
dards  were  coordinated  by  the 
Controlled  Access  Program  Co¬ 
ordinating  Office  (CAPCO)  and 
continue  to  be  fine-tuned  by 
CAPCO  as  required. 

Side  2  of  the  Hexagon  is 
called  Document  Marking, 
which  is  designed  to  imple¬ 
ment  human-readable  mark¬ 
ings.  Basically,  this  software 

continued  on  page  4 
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enables  the  information  origi¬ 
nator  to  mark  Microsoft  Word, 
PowerPoint,  and  Excel  docu¬ 
ments  in  accordance  with  the 
CAPCO  and  Executive  Order 
12958  standards.  The  marking 
is  a  simple  operation,  done 
with  the  point  and  click  of  a 
mouse  and  made  still  easier  by 
pull-down  menus  that  provide 
choices  for  basic  classification, 
caveats,  and  “release  to”  op¬ 
tions  for  countries,  coalitions, 
operations,  organizations,  and 
exercises.  Once  the  document 
is  marked,  it  is  then  trans- 

Warfcing 


AjurtiwfltteaUon 

Figure  1.  Coalition  MLS  Hexagon 
Prototype 

formed  into  a  “computer-read¬ 
able”  label,  side  3  of  the  Hexa¬ 
gon.  A  digital  signature  attaches 
the  label  to  the  document, 
which  is  then  encrypted  and 
sent  to  the  “Coalition  Server,” 
an  Oracle  8  relational  database 
management  system. 

Hexagons  side  4,  Personal 
Authentication,  is  the  linchpin 
of  CMHP.  A  personal  token 
called  a  Hexcard  allows  us  to 
identify  the  user  and  all  of  his 
or  her  security  attributes.  Much 
as  an  automated  teller  machine 
(ATM)  card  does,  the  Hexcard 
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will  store  a  user’s  fingerprint 
template  and  a  credential  set 
based  on  his  or  her  clearance 
levels,  citizenship,  and  need-to- 
know  roles.  Hexcards  will  be 
inserted  into  workstation 
smart-card  readers  to  identify 
the  user  to  the  system. 

Side  5  of  the  Hexagon  is  the 
hardware,  including  NT  work¬ 
stations,  fingerprint  scanners, 
and  smart-card  readers,  re¬ 
quired  for  the  CMHP. 

Hexagon’s  side  6  is  Security 
Management.  A  special  staff  se¬ 
curity  officer  must  be  assigned 
to  coordinate  system  security 
requirements,  issue  Hexcards 
to  CMHP  participants,  under¬ 
stand  the  information  assur¬ 
ance  requirements,  and  moni¬ 
tor  the  system  for  improper 
attempts  to  access  data. 

The  Hexagon  concept  pro¬ 
vides  the  flexibility  required  in 
coalition-supported  joint  task 
force  operations  by  encrypting 
and  protecting  the  object, 
rather  than  the  network.  This  is 
the  key  difference  between 
CMHP  and  other  multilevel  se¬ 
curity  (MLS)  solutions.  Using 
object  protection,  we  can  com¬ 
pare  the  attributes  of  an  indi¬ 
vidual  with  the  objects  that  re¬ 
side  in  the  server.  If  there  is  a 
match,  the  coalition  participant 
can  retrieve  and  decrypt  the 
document. 

The  CMHP  will  be  tested  and 
demonstrated  at 
the  Joint  Battle 
Center  (JBC)  in 
Suffolk,  Virginia,  in 
May  2000.  The  ob¬ 
jective  of  the 
demonstration  will 
be  to  bring  existing 
technologies  to¬ 
gether  to  allow 
users  with  different 
clearance  levels 
from  different 


countries  to  use  the  same  local 
area  network  and  gain  access 
only  to  information  they  are 
authorized  to  see.  After  the 
concept  is  demonstrated,  the 
Joint  Battle  Center  will  provide 
an  independent  assessment  of 
the  system’s  military  utility. 

The  ultimate  goal  of  the 
Hexagon  is  to  provide  the  joint 
task  force  commander  a  tool 
that  increases  the  effectiveness 
of  communications  with  allied 
or  interagency  forces.  % 

Mr.  Craig  Vroom  is  the  International 
Programs  Branch  Chief  at  U.S.  Joint 
Forces  Command,  located  in  Norfolk, 
Virginia.  He  has  an  undergraduate 
degree  in  Computer  Science  from  San 
Diego  State  University  and  is  currently 
participating  in  DoDs  Defense 
Leadership  and  Management  Program 
(DLAMP).  You  may  reach  him  via  E- 
mail  at  vroom@jric.jfcom.mil 

Mr.  Allan  McClure  is  a  Lead  Engineer 
supporting  the  US  Joint  Forces  Command 
Director  for  Intelligence.  During  the  last 
seven  years,  he  has  helped  in  the  imple¬ 
mentation  of  Intelink  and  developed  a 
collaborative  architecture  for  the  Non- 
Proliferation  Center ;  a  Director  for 
Central  Intelligence  (DCI)  controlled 
activity.  He  may  be  reached  at  amcclure 
@ mitre.org. 
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Figure  2.  CMHP  HexCard 
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USEUCOM 


Information  Assurance  Conference 


HI rigadier  General  Charles 
l/fetVE.  Croom,  director,  Unit¬ 
ed  States  European  Command 
(USEUCOM) /J6,  hosted  USEU- 
COM’s  first  Information  Assur¬ 
ance  Conference,  30  Novem¬ 
ber-2  December  1999,  at  the 
Abrams  Center  in  Garmisch- 
Partenkirchen,  Germany.  The 
conference  had  three  purposes: 

•  To  present  pressing  informa¬ 
tion  assurance  (IA)  issues 
and  review  associated  IA 
products 

•  To  foster  teamwork  and  syn¬ 
ergy  among  key  IA  players 
in  the  theater 

•  To  provide  the  latest  IA 
informational  updates  for 
theater  IA  personnel. 

Framework 
The  conference  attracted  a 
total  of  162  people,  represent¬ 
ing  Headquarters  (HQ)  USEU¬ 
COM,  U.S.  Army  Europe  (US- 
AREUR),  U.S.  Air  Forces 
Europe  (USAFE),  US  Naval 
Forces  Europe  (USNAVEUR) , 
Marine  Forces  Europe  (MAR- 
FOREUR),  Special  Operations 
Command  Europe  (SOCEUR), 
the  Defense  Information  Sys¬ 
tems  Agency  (DISA),  the  Na¬ 
tional  Security  Agency  (NSA), 
and  other  commands,  such  as 
U.S.  Special  Operations  Com¬ 
mand  (USSOCOM),  U.S.  Pacific 
Command  (USPACOM),  and 
U.S.  Central  Command  (US- 
CENTCOM) ,  as  well  as  several 


other  DoD  agencies  involved 
in  USEUCOM  IA. 


Brigadier  Genera!  Charles  E,  Croom. 


By  design,  all  levels  of  IA 
professionals,  from  enlisted  to 
general  officer  grades,  partici¬ 
pated  in  the  sessions.  This 
arrangement  ensured  expres¬ 
sion  of  various  viewpoints  at 
the  forum  and  enabled  individ¬ 
uals  with  hands-on  working  ex¬ 
perience  to  interact  directly 
with  policy  makers  at  the  high¬ 
est  levels. 

Each  morning’s  general  ses¬ 
sion  started  with  a  senior-level 
keynote  address.  The  speakers 
were  Brigadier  General  Gary 
Salisbury,  DISA/D6;  Mr. 
Richard  Schaeffer,  Office  of  the 
Secretary  of  Defense  (OSD), 
Command,  Control,  Communi¬ 
cations,  and  Intelligence  (C3I) ; 
and  Mr.  Orville  Lewis,  NSA/ 
DDI  Chief  of  Staff.  All  address¬ 
es  were  followed  by  extended 
question-and-answer  sessions 


that  immediately  indicated  a 
very  high  level  of  interest  in 
the  rapidly  developing  IA  field. 

1  Mr.  Kent  Waller 


Immediately  following  the 
keynote  addresses  were  gener¬ 
al  session  presentations  from 
theater-specific  IA  leaders.  A 
total  of  six  speakers  (two  per 
day)  from  USNAVEUR,  HQ 
USEUCOM,  USAREUR,  USAFE, 
and  the  North  Atlantic  Treaty 
Organization  (NATO)  present¬ 
ed  issues  and  fielded  ques¬ 
tions. 

The  afternoons  were  divided 
into  three  in-depth  breakout 
tracks  in  the  areas  of  opera¬ 
tions,  computer  security 
(COMPUSEC),  and  communi¬ 
cations  security  (COMSEC). 
These  sessions  were  smaller  in 
number  of  participants,  more 
technical,  and  more  discussion 
oriented  than  the  general  ses¬ 
sions. 

Operations  discussions  fo¬ 
cused  primarily  on  lessons 
learned  from  Kosovo  opera¬ 
tions  and  plans  for  future  sup¬ 
port.  COMPUSEC  participants 
dealt  with  information  assur¬ 
ance  vulnerability  alerts 
(IAVA)  issues  and  discussed  the 
technical  details  of  dealing 
with  theater-specific  threats. 

The  COMSEC  sessions, 
which  were  often  filled  to  ca¬ 
pacity,  explored  the  areas  of 
key  management  infrastruc- 

conlinued  on  page  6 
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ture,  software  test  environ¬ 
ment  (STE)  migration,  Defense 
Message  System  (DMS)  field¬ 
ing,  and  Global  Broadcast  Ser¬ 
vice  (GBS)  fielding. 

Selected  special  session  pre¬ 
senters  were  invited  to  display 
products  and  services  particu¬ 
larly  associated  with  USEU- 
COM  IA  issues. 

Theater  Action  Team 

To  ensure  meaningful  con¬ 
ference  results,  a  Theater  Ac¬ 
tion  Team  (TAT)  was  formed. 
Composed  of  key  IA  decision 
makers  in  the  USEUCOM  the¬ 
ater  and  chaired  by  Brigadier 
General  Croom,  the  TAT  met 
each  evening  to  review  and  de¬ 
bate  the  many  issues  raised  by 
the  breakout  tracks.  After  nar¬ 
rowing  the  number  of  issues, 
the  team  selected  20  action 
items;  ranked  each  item’s  pri¬ 
ority  as  high,  medium,  or  low; 
and  assigned  each  action  to  a 
primary  office  of  primary  re¬ 
sponsibility  (OPR)  with  a  dead¬ 
line  for  accomplishment. 

The  TAT  results  were  ex¬ 
tremely  well  received  by  all 
conference  participants.  As  a 
result  of  its  success,  the  con¬ 
ference  has  led  to  the  develop¬ 


Number 


ment  of  a  new  European  Infor¬ 
mation  Assurance  Steering 
Council  composed  of  senior  IA 
leaders  and  aimed  at  providing 
continuing,  unified  guidance 
to  theater  IA  personnel. 

Additional 

Information 

All  conference  materials,  in¬ 
cluding  the  TAT  action  items, 
attendee  lists,  and  briefings  are 
available  for  download  from 
the  HQ  USEUCOM  SIPRNET 
Web  site. 

The  office  with  primary  re¬ 
sponsibility  for  the  conference 
was  the  HQ  USEUCOM  C3I  Di¬ 
rectorate’s  Defensive  Informa¬ 
tion  Warfare  Division  directed 
by  Col  LaForrest  Williams,  U.S. 
Air  Force  (USAF) .  On  behalf  of 
Brigadier  General  Croom,  this 
group  extends  appreciation  to 
all  the  speakers  who  made  the 
conference  a  success.  A 

Mr.  Kent  Waller  is  an  Information 
Assurance  Program  Manager  for  HQ 
United  States  European  Command.  He 
earned  his  B.S.  in  Engineering  from  the 
University  of  Oklahoma  in  1986  and  his 
Master  of  Public  Administration  from 
the  University  of  Oklahoma  in  1990.  He 
may  be  reached  at  wallerkl@eucom.mil. 


http://iac.dtic.  mil/I  AT  AC 


The  Joint  Task  Force  for 
Computer  Network  De¬ 
fense  (JTF-CND)  is  a  new  orga¬ 
nization  with  a  new  mission:  to 
direct  the  defense  of  all  Depart¬ 
ment  of  Defense  (DoD)  com¬ 
puters  and  networks  and  the 
information  that  moves  in 
them  from  any  threat,  foreign 
or  domestic.  Our  intelligence 
(J2)  role  on  this  team  resem¬ 
bles  any  other  JTF-level  intelli¬ 
gence  effort.  That  mission  is  to 
provide  the  commander,  the 
JTF-CND  staff,  and  assigned 
components  with  all-source, 
fused,  predictive  intelligence 
on  enemy  locations,  capabili¬ 
ties,  and  intentions.  The  JTF- 
CND  J2  must  understand  the 
enemy  in  cyberspace,  and 
must  provide  decision-makers 
with  the  actionable  intelligence 
required  to  support  defensive 
operations. 

That  task  is  easier  said  than 
done.  Those  who  choose  to  at¬ 
tack  or  exploit  our  information 
systems  operate  with  great 
anonymity  in  globally  inter¬ 
connected  networks.  Addition¬ 
ally,  our  adversaries  are  armed 
with  software  tools  that  strike 
at  the  speed  of  light,  and  use 
tactics  that  are  hard  to  detect  in 
the  noise  of  the  net. 

Finding  the  enemy  in  cyber¬ 
space  is  also  complicated  by 
the  nature  of  this  new  terrain. 
There  are  few  useful  charts  by 
which  to  orient  us  and  little 
agreement  on  what  the  concept 
of  “cyberspace”  means.  Perhaps 
the  most  useful  definition  re¬ 
mains  William  Gibson’s  origi¬ 
nal  explanation  of  the  term: 


Cyberspace  is  “a  consensual 
hallucination  experienced 
daily  by  billions...  [an]  unthink¬ 
able  complexity.”  Try  visualiz¬ 
ing  enemy  locations  in  that! 

The  adversary  may  be  a  ter¬ 
rorist  attempting  to  attack  De¬ 
partment  of  Defense  (DoD) 
networks  to  draw  attention  to  a 
cause  or  to  slow  our  response 
to  an  act  of  physical  terror. 
Threats  also  come  from  espi¬ 
onage  agents  seeking  to  ac¬ 
quire  sensitive  but  unclassified 
information  for  use  by  a  foreign 
state  or  criminal  organization. 
We  may  soon  face  nation  state 
adversaries  in  cyberspace  who 
seek  military  advantage,  possi¬ 
bly  by  attacking  our  combat 
support  infrastructure  or,  in 
perhaps  the  most  insidious  at¬ 
tack,  by  attempting  to  manipu¬ 
late  the  perceptions  of  senior 
DoD  decision  makers. 

Although  the  computer  net¬ 
work  defense  intelligence  prob¬ 
lem  is  complex  and  relatively 
new,  developing  JTF-CND  in¬ 
telligence  tactics,  techniques, 
and  procedures  (TTP)  has  been 
simple  and  straightforward.  We 
have  based  most  of  our  TTPs 
on  the  existing  playbook  for 
JTF  intelligence  support,  the 
Joint  Staff s  Joint  Doctrine  for 
Intelligence  Support  to  Opera¬ 
tions  (Joint  Pub  2-0).  Using  in¬ 
telligence  doctrine  as  the 
bedrock  for  JTF-CND  intelli¬ 
gence  TTPs  have  already  paid 
off.  Following  doctrine  has  in¬ 
creased  the  intelligence  com¬ 
munity  focus  on  and  support  of 
the  CND  mission. 

continued  on  page  8 
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Joint  Pub  2-0  also  directly  as¬ 
sisted  in  planning  for  the  U.S. 
Space  Command  (SPACECOM) 
assumption  of  the  DoD  CND 
mission,  which  occurred  1  Oc¬ 
tober  1999.  Intelligence  staffs  at 
and  JTF-CND  quickly  realized 
the  importance  of  adhering  to 
joint  doctrine  wherever  possi¬ 
ble.  Using  joint  doctrine  al¬ 
lowed  us  to  clarify  important 
aspects  of  the  new  relationship, 
including  the  most  efficient 
means  of  handling  intelligence 
collection  and  production  re¬ 
quirements  and  appropriate  di¬ 
vision  of  labor  between  CINC 
and  JTF  intelligence  personnel. 

The  central  principle: 
Know  the  adversary.  Perhaps 
Joint  Pub  2-0’s  most  critical 
contribution  is  a  clear  articula¬ 
tion  of  the  general  functions 
that  must  be  conducted  by  a 
JTF  J2.  It  also  provides  guid¬ 
ance  on  how  these  functions 
should  be  carried  out.  The  fol¬ 
lowing  points  show  JTF-CND  J2 
application  of  these  principles. 

The  fundamental  responsi¬ 
bility  of  the  JTF-CND  J2  is  to 
provide  JTF-CND  decision 
makers  with  the  fullest  possi¬ 
ble  understanding  of  the  cyber 
threat.  This  understanding 
must  include  knowledge  of  the 
adversary’s  goals,  objectives, 
strategy,  intentions,  capabili¬ 
ties,  methods  of  operation,  vul¬ 
nerabilities,  and  sense  of  value 
and  loss.  To  provide  this  under¬ 
standing,  the  JTF-CND  J2  and 
intelligence  staff  must  develop 
and  continuously  refine  an 
ability  to  think  like  the  cyber 
threat. 

Intelligence  support  is 
critical  to  operational  suc¬ 
cess.  JTF  J2  staff  must  under¬ 


stand  the  adversary  in  order  to 
support  operations.  Intelli¬ 
gence  must  be  made  action¬ 
able  by  tailoring  it  into  a  useful 
form  and  then  getting  it  into 
the  hands  of  the  commander, 
the  operations  division  (J3), 
and  other  JTF  decision  mak¬ 
ers.  Operations  support  also  re¬ 
quires  J2  assessment  of  J3  in¬ 
tentions  from  the  adversary’s 
perspective  to  determine  prob¬ 
able  adversary  responses. 

Intelligence  support  re¬ 
quires  the  integration  of  in¬ 
telligence  efforts  at  strate¬ 
gic,  operational,  and  tactical 
levels.  Strategic  intelligence  is 
used  to  formulate  defensive 
strategies  and  operations  at  na¬ 
tional  and  theater  levels,  mak¬ 
ing  both  SPACECOM  and  JTF- 
CND  key  consumers  of 
intelligence  produced  on  the 
cyber  threat  to  our  Nation.  Op¬ 
erational  intelligence  is  used 
by  SPACECOM  and  JTF-CND  to 
determine  defensive  objectives 
and  to  support  the  planning 
and  conduct  of  CND  opera¬ 
tions.  Tactical  intelligence  re¬ 
quired  for  CND  is  a  new  disci¬ 
pline  that  is  still  in  an  initial 
stage.  When  fully  developed, 
tactical  intelligence  procedures 
and  processes  will  support 
rapid  reaction  to  tactical 
threats  by  JTF-CND  compo¬ 
nents. 

Strategic,  operational,  and 
tactical  intelligence  must  be 
employed  in  a  way  that  re¬ 
duces  our  chances  of  being 
deceived  or  surprised.  De¬ 
ception  and  surprise  are  inher¬ 
ent  factors  in  cyberspace,  how¬ 
ever,  and  will  probably  always 
be  concerns. 

Intelligence  sources  are 
the  means  or  systems  used 


to  observe,  sense  and 
record,  or  convey  informa¬ 
tion.  JTF-CND  J2  staff  must 
understand  the  strengths  and 
weaknesses  of  all  intelligence 
sources  relevant  to  this  mis¬ 
sion  area.  The  seven  primary 
intelligence  sources  are  im¬ 
agery  intelligence,  human  in¬ 
telligence,  signals  intelligence, 
measurement  and  signature  in¬ 
telligence,  open  source  intelli¬ 
gence,  technical  intelligence, 
and  counterintelligence.  Unity 
of  effort  is  maintained  by  task¬ 
ing  these  disciplines  in  accor¬ 
dance  with  joint  doctrine.  All 
results  are  fused  to  provide  the 
best  possible  assessments.  In¬ 
tegration  also  helps  reduce  de¬ 
ception  and  surprise. 

Intelligence  supports  all 
aspects  of  JTF-CND  opera¬ 
tions.  JTF-CND  J2  will  partici¬ 
pate  in  planning  from  the  out¬ 
set  of  any  operation.  Early 
involvement  in  JTF-CND  plan¬ 
ning  will  allow  the  J2  to  articu¬ 
late  intelligence  collection  and 
production  requirements  to  the 
intelligence  community  and  to 
formulate,  at  an  early  stage,  in¬ 
telligence  guidance  for  JTF- 
CND  components.  It  will  also 
allow  the  J2  to  provide  intelli¬ 
gence  at  every  stage  of  the  de¬ 
cision-making  process. 

Providing  understanding 
of  the  enemy  to  support 
counterintelligence  and  op¬ 
erational  security  measures. 
Concurrent  with  JTF-CND 
planning  and  operating 
process,  the  J2  will  provide  the 
commander  with  an  under¬ 
standing  of  the  adversary’s 
command  and  control  process¬ 
es  and  adversary  intelligence 
collection  capabilities,  so  ap¬ 
propriate  operational  security 
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and  counterintelligence  opera¬ 
tions  can  be  implemented. 

Evaluating  the  effects  of 
defensive  operations.  The 
JTF-CND  J2  will  assist  the  JTF 
commander  and  J3  in  evaluat¬ 
ing  operational  results  and  de¬ 
termining  when  objectives 
have  been  attained,  so  forces 
may  be  reoriented  or  opera¬ 
tions  terminated.  Some  defen¬ 
sive  measures  that  may  have  to 
be  taken  on  DoD  networks  to 
thwart  a  sophisticated  adver¬ 
sary  could  affect  millions  of 
DoD  computer  users,  making 
intelligence  support  for  exit 
strategies  of  paramount  impor¬ 
tance. 

Intelligence  systems  will 
be  interoperable,  usable, 
scalable,  reliable,  and  user- 
friendly.  Joint  Pub  2-0  pro¬ 
vides  overarching  guidance  on 
establishment  of  a  joint  intelli¬ 
gence  architecture  for  support 
to  a  JTF.  Much  of  this  architec¬ 
ture  already  exists  in  the  mili¬ 
tary  intelligence  community 
infrastructure.  CND  intelli¬ 
gence  architecture  is  based  on 
the  Joint  Worldwide  Intelli¬ 
gence  Communications  System 
(JWICS)  and  the  Joint  Deploy¬ 
able  Intelligence  Support  Sys¬ 
tem  (JDISS).  By  tailoring 
JWICS  and  JDISS  to  the  JTF- 
CND  mission,  JTF-CND  joins  a 
network  linking  the  entire  in¬ 
telligence  community. 

New  threat  databases  are 
being  established  to  support 
this  mission,  and  many  new  in¬ 
telligence  fusion,  collaboration, 
and  visualization  tools  are 
being  developed  to  support 
CND  intelligence  analysts.  As 
they  are  developed,  strict  ad¬ 
herence  to  joint  doctrine  and 
joint  standards  (where  they 
exist)  will  help  ensure  interop¬ 
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erability  and  proper  mission 
focus. 

Intelligence  TTPs  must  be 
understood  by  all  players.  A 
key  reason  for  having  joint  doc¬ 
trine  is  to  know  how  the  rest  of 
the  team  will  play.  Intelligence 
TTPs  spell  these  plays  out  in 
detail,  describing  agreed-upon 
ways  that  organizations  inter¬ 
act.  For  example,  JTF-CND 
components  will  follow  joint 
doctrine  in  stating  intelligence 
collection  and  production  re¬ 


quirements  to  JTF-CND  for  fur¬ 
ther  validation,  prioritization, 
and  tasking.  When  operations 
require,  JTF-CND  will  issue 
statements  of  intelligence  in¬ 
tentions  to  components,  clari¬ 
fying  additional  support  proce¬ 
dures  tailored  to  the  particular 
mission.  Component  comman¬ 
ders  will  also  provide  feedback 
to  the  JTF  on  Service-related  is¬ 
sues  affecting  the  joint  com¬ 
mand,  and  will  plan  and  devel¬ 
op  implementing  instructions 
for  wartime  intelligence  sup¬ 
port,  including  augmentation 
of  joint  forces. 

Many  aspects  of  this  new 
mission  area  have  yet  to  be  cov¬ 
ered  by  joint  doctrine.  That  is 
to  be  expected  in  any  modern 
military  operation.  But  by  start¬ 
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ing  with  a  foundation  in  joint 
doctrine,  areas  that  have  yet  to 
be  resolved  are  being  discov¬ 
ered  quickly  and  dialog  is  al¬ 
ready  underway  to  address 
them. 

A  Final  Note 
Operational  units  in  the  field 
or  fleet  who  have  a  need  for  in¬ 
telligence  on  cyberthreats  can 
also  rely  on  joint  doctrine  for 
intelligence.  It  is  the  basis  for 
J2  procedures  in  every  CINC 
area  of  responsibility,  and  is 
worth  a  good  read  by  all  uni¬ 
formed  professionals.  A 
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Mr.  Richard  Phares  g 

/  n  13  and  14  October 
1999,  IATAC  conducted 
an  exercise  on  information  op¬ 
erations  (10)  for  computer  net¬ 
work  defense  (CND)  for  the 
Joint  Task  Force  for  CND  (JTF- 
CND).  This  tabletop  exercise, 
Zenith  Star  99-1,  was  designed 
to  look  both  at  a  CND  scenario 
similar  to  that  used  for  Eligible 
Receiver  97-1,  and  at  the  inter¬ 
agency  working-level  coordina¬ 
tion  necessary  to  react  to  such 
a  scenario.  Zenith  Star  99-1  also 
exercised  the  JTF-CND  Tactics, 
Techniques,  and  Procedures 
(TTPs)  and  assessed  progress 
made  since  the  JTF-CND  stand- 
up  in  December  1998.  Al¬ 
though  the  exercise  used  the  El¬ 
igible  Receiver  97-1  scenario  as 
a  base,  it  did  not  replay  that  ex¬ 
ercise  completely.  Instead,  it 
focused  primarily  on  CND-re- 
lated  events  to  determine  how 
new  DoD  organizations  and 
processes  built  since  Eligible 
Receiver  97-1  affect  the  CND 
community’s  response  to  a  sim¬ 
ilar  crisis. 

More  than  55  participants  at¬ 
tended  the  exercise,  including 
players  from  U.S.  Space  Corh- 
mand  (SPACECOM),  the  Na¬ 
tional  Infrastructure  Protection 
Center  (NIPC),  the  National  Se¬ 
curity  Agency  (NSA);  the  De¬ 
fense  Intelligence  Agency 
(DIA),  the  Central  Intelligence 
Agency  (CIA),  the  Assistant 
Secretary  of  Defense  for  Com¬ 
mand,  Control,  Communica¬ 


tions,  and  Intelligence  (ASD 
C3I),  the  Joint  Staff,  and  JTF- 
CND  and  its  component  com¬ 
mands.  Several  observers  from 
U.S.  Pacific  Command 
(PACOM),  U.S.  Special  Opera¬ 
tions  Command  (SOCOM),  U.S. 
Joint  Forces  Command 
(JFCOM),  the  National  Com¬ 
munications  System  (NCS) , 
and  others  also  attended.  Facil¬ 
itators  included  personnel  from 
both  IATAC  and  JTF-CND. 

Zenith  Star  99- l’s  goal  was  to 
foster  understanding  of  the 
process  and  products  required 
in  interagency  coordination 
and  the  resulting  impacts  on 
the  CND  community’s  ability  to 
perform  its  mission.  The  exer¬ 
cise  achieved  this  goal  by  help¬ 
ing  participants  accomplish 
four  specific  objectives: 

•  Understanding  the  roles  of 
new  CND  organizations  in 
responding  to  a  contingency 
similar  to  Eligible  Receiver 
97-1  in  scope  and  complexity 

•  Understanding  interagency 
coordination  requirements 

•  Examining  processes  and 
procedures  for  JTF-CND 
coordination  with  other  sup¬ 
porting  agencies  (e.g.,  NIPC, 
Intel) 

•  Understanding  needs  for 
improvement  highlighted  by 
several  communities— intelli¬ 
gence,  law  enforcement  and 
counterintelligence,  and 
operations. 

The  exercise  structure  in¬ 
cluded  information  briefings 
and  “hot  washes.”  Zenith  Star 


99-1  emphasized  team  play,  so 
information  briefings  were 
kept  to  the  bare  minimum  re¬ 
quired.  The  exercise  clock 
began  while  participants  re¬ 
ceived  their  “situation  brief¬ 
ing’’— exercise  time  and  real 
time  were  one  and  the  same. 
Participants  were  divided  into 
functional  teams  as  follows: 

•  Operations  team  (SPACE¬ 
COM,  JTF-CND  and  its  com¬ 
ponents) 

•  Intelligence  team 
(CIA,  DIA,  NSA) 

•  Law  enforcement/counterin¬ 
telligence  team  (Defense 
Criminal  Investigative  Or¬ 
ganizations,  NIPC) 

•  Other  team  (Joint  Staff, 
Office  of  the  Secretary  of 
Defense  [OSD]) 

Participants  within  teams 
were  allowed  to  communicate 
freely  with  each  other.  Commu¬ 
nications  among  teams,  howev¬ 
er,  were  strictly  regulated.  Par¬ 
ticipants  used  either  real 
communications  (the  secure 
telephone  units,  third  genera¬ 
tion  [STU-III]  available  in  each 
team  room  or  face-to-face  meet¬ 
ings  arranged  through  the  facil¬ 
itators)  or  simulated  communi¬ 
cations  (fax  and  E-mail) . 
Additionally,  the  Control  Cell 
brought  participants  together 
in  a  forum  that  allowed  them  to 
share  information,  and  work  to¬ 
gether  on  their  responses. 

Team  play  was  driven  by 
“Red  Force"  actions:  teams  re¬ 
ceived  injects  describing  specif- 
continued  on  page  14 
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Distributed  Denial 
of  Service  Tools 


8t  was  a  dark  and  stormy 
night... With  nothing  else  to 
do,  you  search  for  “places  that 
don’t  rain”  using  your  favorite 
Web  search  engine  only  to  get 
an  ominous  “Error  404.”  It  is 
quite  possible  that  the  search 
engine’s  Web  site  is  under  at¬ 
tack  from  hundreds  of  systems 
at  once,  just  as  Yahoo’s  page 
was  in  mid-February  for  3+ 
hours.  Could  such  a  coordinat¬ 
ed  attack  occur  in  reality?  Un¬ 
fortunately,  a  single  individual 
could,  with  relative  ease  and 
little  chance  of  repercussion, 
stage  such  an  attack  using  a 
new  breed  of  tools  referred  to 
as  Distributed  Denial  of  Service 
(DDoS)  tools. 

Reality  #  1 

The  number  of  poorly  con¬ 
figured  systems  connected  to 
the  Internet  is  rapidly  increas¬ 
ing.  This  is  partially  the  result 
of  well-connected  university 
dormitories  and  high-speed 
connections  to  the  home, 
(cable-modems  and  DSL  con¬ 
nections). 

Reality  #2 

Based  on  the  observed  rate 
of  network-wide  probes  and 
publicly  available  hacker  tools, 
intruders  are  more  interested 
in  the  number  of  compromised 
hosts  rather  than  specific  tar¬ 
gets. 

The  reality  is  that,  using 
publicly  available  tools,  a  deter¬ 
mined  intruder  can  compro¬ 
mise  100+  systems  Internet¬ 
wide  in  a  matter  of  days.  Sadly, 
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the  number  of  vulnerable  sys¬ 
tems  riding  the  Internet  has 
outpaced  a  typical  intruder’s 
ability  to  do  something  useful 
with  the  compromised  sys¬ 
tems.  Distributed  intruder  tools 
have  matured  in  this  environ¬ 
ment  and  now  enable  an  in¬ 
truder  to  use  a  large  number  of 
compromised  systems  in  a  co¬ 
ordinated  and  collective  man¬ 
ner.  The  first  widely  used  ex¬ 
ample  of  distributed  intruder 
tools  is  denial  of  service  tools, 
though  others  are  expected  to 
follow  shortly.  With  the  current 
generation  of  tools  and  little  ef¬ 
fort,  an  intruder  can  flood  a  tar¬ 
get  with  a  massive  amount  of 
traffic  from  hosts  around  the 
world.  These  DDoS  tools  are 
called  names  such  as  TrinOO, 
Tribe  Flood  Network  (TFN)  and 
Stacheldraht  and  are  available 
on  UNIX  and  Windows  sys¬ 
tems.  It  is  believed  that  vari¬ 
ants  of  these  tools  were  used  to 
successfully  launch  large-scale 
attacks  against  such  popular 
Web  sites  such  as  Yahoo,  E-bay, 
CNN  and  others.  Many  of  the 
victims  have  been  very  well 
connected  sites  with  over  a  gi¬ 
gabit  per  second  of  sustained 
bandwidth. 

The  current  generation  of 
DDOS  tools  requires  an  intrud¬ 
er  to  install  a  “daemon”  on  each 
of  the  compromised  systems. 
At  least  one  “master”  system 
keeps  track  of  the  daemon  sys¬ 
tems  and  directs  the  attack. 
When  prompted  by  an  intruder 
the  master  contacts  each  of  the 
daemons  and  specifies  the  tar- 
continuer!  on  page  1 2 
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detection  signatures  if  they 
have  not  already  done  so. 
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Figure  1.  Example  DDoS  network 

continued  from  page  1 1 

get  and  method  of  attack.  From 
the  victim’s  perspective,  they 
appear  to  be  under  attack  from 
hundreds  of  systems  from 
around  the  world  all  at  once. 

There  are  two  primary  com¬ 
puter  network  defense  goals 
with  relation  to  the  recent  dis¬ 
tributed  attacks: 

Don't  be  a  partici¬ 
pant.  in  an  attack. 

The  Internet  community  is 
already  struggling  with  the 
scale  of  these  attacks.  Vulnera¬ 
ble  DoD  systems  can  be  unwit¬ 
ting  participants  in  a  DDoS  net¬ 
work  serving  only  to  increase 
the  scale  and  complexity. 

The  current  set  of  DDoS 
tools  are  installed  after  a  sys¬ 
tem  is  compromised  by  an  in¬ 
truder  and  does  not  exploit  any 
specific  vulnerability.  Based  on 
past  incidents,  most  DoD  com¬ 
promises  are  the  direct  result  of 
unpatched  vulnerabilities  that 
DoD’s  Information  Assurance 
Vulnerability  Alert  (IAVA) 
•Process  has  documented 
(http://www.cert.mil/iava). 
Sites  are  encouraged  to  routine¬ 
ly  check  their  systems  for  IAVA 


compliance.  Sites  are  also  ad¬ 
vised  to  do  the  following: 

•  Periodically  run  DDoS 
scanning  tools.  Sites  are 
encouraged  to  use  either 
vendor  or  government  devel¬ 
oped  tools  to  detect  known 
instances  of  DDoS  tools. 

—The  National  Infrastruc¬ 
ture  Protection  Center 
(NIPC)  has  produced  a 
host  based  scanning  tool 
to  detect  known  DDoS 
tools.  The  tool  only  runs 
on  Solaris  and  Linux  at 
the  time  of  this  article. 
The  tool  is  available  on 
the  DoD-CERT’s  home- 
page  (http://www.cert. 
mil/resources/security_to 
ols.htm). 

— The  current  DoD  con¬ 
tracted  antivirus  vendors, 
Symantec  and  McAfee, 
have  developed  signatures 
to  detect  the  Windows’ 
variants  of  the  DDoS  tools. 

*  Sites  are  encouraged  to 
pressure  their  vendors 

(antivirus,  intrusion  detec¬ 
tion,  etc)  to  update  their 
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•  Enable  anti-spoofing  rules 
at  enclave  perimeter.  Sites 
should  configure  their 
perimeter  firewall  and  router 
to  only  allow  out  traffic  with 
valid  source  IP  addresses. 
Many  of  the  tools  spoof  their 
source  IP  address  to  make 
the  attack  look  like  it  is  origi¬ 
nating  from  somewhere  else. 

•  Disable  directed  broadcast  at 
enclave  perimeter.  Sites 
should  configure  their  router 
and  firewall  to  disallow  net¬ 
work  traffic  destined  for  their 
broadcast  address. 


Don't  be  a  victim 
of  a  DDoS  attack. 


While  it  has  not  happened  to 
date,  it  is  possible  that  DoD  sys¬ 
tems  will  (or  could)  be  targeted 
in  the  future  by  such  attacks. 

From  a  potential  victim’s 
perspective,  the  best  advice  is 
to  be  prepared  to  be  a  victim. 
The  current  denial  of  service 
attacks  only  rely  on  a  site’s  abil¬ 
ity  to  receive  network  traffic 
through  a  finite  network  con¬ 
nection.  These  attacks  take  ad¬ 
vantage  of  the  large  number  of 
vulnerable  systems  connected 
to  the  Internet,  so  there  is  no 
simple  “fix”  for  these  attacks. 
Once  a  site  has  been  targeted, 
there  are  a  number  of  things 
that  can  be  done  to  restore  ser¬ 
vice  in  a  timely  manner.  Sys¬ 
tems  owners  are  advised  to  be 
prepared  in  the  following  man¬ 
ner: 


•  Identify  mission-essential 
systems  that  must  be  avail¬ 
able  to  users  from  the 
Internet.  If  a  denial  of  ser- 
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Air  Force  Materiel  Command's 

Information  Defense 

Cyberterrorism,  Internet  attacks,  malicious  intrusions, 
and  hacker  activity  are  on  the  rise.  Credit  card  data  for 
thousands  of  people  is  offered  for  sale  over  the  net. 


ir  Force  systems  and  net¬ 
works  are  targets.  Pro¬ 
tection  of  our  systems  and  data 
is  the  new  challenge,  and  Air 
Force  Materiel  Command 
(AFMC)  is  structuring  itself  to 
meet  that  challenge  with  a  ded¬ 
icated  effort  addressing  all  as¬ 
pects  of  information  assurance 
(IA). 

Efforts  to  attack,  sabotage, 
and  corrupt  government  and  in¬ 
dustrial  systems  and  data, 
sometimes  in  “sport”  and  some¬ 
times  as  a  conspiracy,  have  be¬ 
come  a  widespread  problem 
plaguing  everyone  from  the 
smallest  businesses  to  the 
biggest  government  organiza¬ 
tions.  Network  defenses  and 
vigilance  have  been  the  two 
most  common  responses,  but 
waiting  for  the  next  hacker  is  an 
insufficient  approach  to  net¬ 
work  protection.  In  AFMC  we 
have  taken  a  proactive  approach 
to  protecting  our  systems. 

In  an  aggressive  effort  begin¬ 
ning  in  late  1998,  AFMC  devel¬ 
oped  and  deployed  a  team  of 
network  security  and  opera¬ 
tional  experts  under  the  banner 
of  Operation  Palisade.  The 
team’s  continuing  mission  is  to 
seek  out  network  security 
weaknesses  before  they  can  be 
exploited  and  to  remove  them 
through  the  implementation  of 
security  network  practices  and 
technologies.  The  effort  is  fo¬ 
cused  on  the  single  goal  of  pro¬ 
tecting  the  mission-critical  in¬ 
formation  contained  on  AFMC 
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networks  throughout  the  Unit¬ 
ed  States  and  the  world.  The 
challenge  is  particularly  daunt¬ 
ing  because  AFMC’s  relation¬ 
ships  with  various  research 
centers  and  contractors  mean 
that  our  networks  have  a  larg- 
er-than-expected  number  of  po¬ 
tentially  open  components. 

The  primary  foundation  on 
which  Operation  Palisade 
builds  is  the  full  application  of 
the  Air  Force’s  Barrier  Reef 
process.  This  proven  methodol¬ 
ogy  is  designed  to  create 
boundary  protection  for  all 
AFMC  base  intranet  networks, 
protect  those  networks  at  their 
entry  points  to  the  Internet, 
provide  specific  network  secu¬ 
rity  training  to  base  network 
managers,  and  increase  AFMC 
network  monitoring  and  audit¬ 
ing  as  soon  as  security  weak¬ 
nesses  are  identified.  We  feel 
that  our  Operation  Palisade  ef¬ 
forts,  combined  with  the  man¬ 
dated  actions  laid  out  in  applic¬ 
able  Air  Force  regulations  and 
instructions,  have  positioned 


Col  Kevin  J.  Kirsch,  USAF 


us  not  only  to  respond  to  prob¬ 
lems,  but  to  prepare  our  subor¬ 
dinate  bases  and  organizations 
to  position  themselves  proac¬ 
tively  for  the  threats  that  surely 
lie  just  around  the  corner. 

Are  we  where  we  want  to  be 
or  need  to  be  in  our  defensive 
posture?  The  answer  is  clearly 
“no.”  We  need  to  move  beyond 
Barrier  Reef  and  Operation  Pal¬ 
isade.  We  need  to  address  all 
the  capabilities  of  the  Air 
Force’s  Defensive  Counter-in¬ 
formation  (DCI)  Operations 
program,  including  not  only  in¬ 
formation  assurance,  but  also 
operations  security,  electronic 
protection,  counterintelligence, 
and  other  capabilities,  as 
spelled  out  in  Air  Force  Policy 
Directive  10-20.  In  the  process 
of  moving  forward,  AFMC  has 
put  the  IA  lead  in  charge  of  the 
overall  command  DCI  program 
and  given  me  the  responsibility 
to  coordinate  all  of  the  efforts 
in  the  realm  of  Defensive  Infor¬ 
mation  Operations. 

By  consolidating  IA  and  DCI 
Operations  leadership,  we  have 
put  ourselves  on  a  path  for  con¬ 
tinuous  improvement— and 
created  a  self-initiated  chal¬ 
lenge  to  succeed.  There  is 
much  to  do.  AFMC  is  a  target- 
rich  environment  for  both  the 
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recreational  hacker  and  the  in¬ 
dustrial  spy.  On  the  other 
hand,  our  challenges  are  no 
different  from  those  faced  by 
industry,  other  Air  Force  Major 
Commands  (MAJCOM),  or  our 
sister  services. 

We  are  proud  to  be  part  of 
the  large  team,  working  hard 
with  the  other  MAJCOMs,  the 
Services  and  in  industry  to  stay 
one  step  ahead  of  the  next  inci¬ 
dent.  We  feel  we  have  a  posi¬ 
tive  story  to  tell,  but  recognize 
that  others  do  also.  For  every 
good  idea  we  have,  we  seek 
multiple  opportunities  to  gath¬ 
er  the  best  practices  of  others 
and  to  explore,  in  the  field  or  in 
the  lab  environment,  the  best 
use  of  current  capabilities  and 
information  on  products  under 
development.  A 


Colonel  Kirsch  is  the  Chief,  Mission 
Support,  Network  Operations  &  Security 
Division,  HQ  Air  Force  Material 
Command,  Wright-Patterson  AFB,  OH. 
He  was  commissioned  as  a  2nd 
Lieutenant  following  completion  of  the 
ROTC  program  and  graduation  from 
Duquesne  University  in  Pittsburgh  PA. 
He  has  held  a  variety  of  base  level  and 
tactical  positions  to  include  four  com¬ 
mand  positions,  ranging  from  a  detach¬ 
ment  in  Iceland  to  Installation 
Commander  of  RAF  Croughton, 
England .  In  his  current  position  he  is 
responsible  for  assessment  of  the  opera¬ 
tional  effectiveness  and  efficiency  of 
information,  security,  applications  and 
systems  for  customers  throughout  Air 
Force  Materiel  Command,  and  is  the 
overall  lead  for  the  command  Defensive 
Counter  Information  program. 


Zenith  Star 
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ic  events  from  the  facilitators  at 
predetermined  times.  The  par¬ 
ticipants  were  expected  to  eval¬ 
uate  the  events  in  real  time  and 
formulate  a  response.  While 
this  sounds  relatively  simple, 
the  intent  of  Zenith  Star  99-1 
was  to  examine  interagency  co¬ 
ordination— thus  the  teams  had 
to  present  a  coordinated  re¬ 
sponse  to  the  Control  Cell  for  a 
specific  event.  If  the  partici¬ 
pants  recommended  an  appro¬ 
priate  action  within  a  reason¬ 
able  amount  of  time,  long 
duration  events  would  be 
stopped  prematurely  by  the 
Control  Cell.  Otherwise,  events 
continued  until  terminated  as 
determined  by  the  scenario. 

Coordination  between  teams 
was  conducted  using  the  com¬ 
munications  available  to  the 
participants.  All  coordination 
activities,  such  as  phone  calls, 
simulated  E-mails,  and  faxes 
were  recorded  on  templates 
provided  to  the  participants. 
Facilitators  were  also  present  at 
any  face-to-face  meetings. 
Using  the  exercise  scenario  as 
ground  truth,  facilitators  were 
therefore  able  to  assess  situa¬ 
tional  awareness  within  and 
across  teams,  and  determine 
the  overall  state  of  the  exercise 
at  the  end  of  each  day.  These 
assessments  helped  facilitators 
identify  lessons  learned  and  is¬ 
sues  for  future  consideration. 

Participants  generally  found 
the  exercise  to  be  beneficial. 
Zenith  Star  99-1  showed  that 
the  CND  community  is  making 
significant  progress  toward  de¬ 
veloping  an  effective  CND 
process.  Specifically,  the  on¬ 


going  efforts  to  increase  CND 
coordination  between  opera¬ 
tors,  intelligence,  and  law  en¬ 
forcement  are  paying  divi¬ 
dends.  Continued  planning 
initiatives  and  exercises  will 
help  to  refine  processes  fur¬ 
ther,  and  prove  valuable  to  the 
CND  community  as  a  whole. 


-  ■■ 

■  m  ■ 


The  Zenith  Star  99-1  After  Ac¬ 
tion  Report  (AAR)  is  available 
on  the  JTF-CND  SIPRNET  Web 
site.  Questions  and  comments 
are  welcomed  and  encouraged. 

a 


Major  Gerald  Burton,  USA,  is  a 
Defensive  10  Planner  in  the  JTF-CND 
J5/7  Section.  He  is  an  Information 
Operations  Functional  Area  Officer,  and 
holds  an  M.S.  from  Central  Michigan 
University.  He  may  be  reached  at 
burtong@jtfcnd.ia .  mil. 

Mr.  Richard  Phares  is  a  member  of 
the  IATAC,  and  designs,  develops,  and 
executes  Information  Operations 
wargames  for  various  clients.  He  holds 
an  M.S.  from  the  Naval  Postgraduate 
School,  Monterey,  CA.He  may  be 
reached  at  iatac@dtic.mil. 
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The  Army  Prepares  for  the 
Next  Generation  of  Warfare 


As  the  Army  prepares  to 
digitize  the  force,  a  new 
threat  is  developing— one  that 
is  unlike  any  the  Army  has 
seen  before.  Rather  than  spend¬ 
ing  billions  of  dollars  on  ma¬ 
teriel,  our  enemies  are  now  in¬ 
vesting  in  information  warfare 
(IW).  Future  conflicts  are  ex¬ 
pected  to  be  asymmetric, 
which  means  that  IW  forces 
will  inflict  substantial  damage 
on  large,  computer-dependent 
adversaries. 

In  the  Washington  Times,  the 
Chinese  People's  Liberation 
Army  (PLA)  publicly  an¬ 
nounced  its  plans  to  conduct  In¬ 
ternet  warfare  against  the  Unit¬ 
ed  States.  The  PLA  is  gearing  up 
for  wartime  computer  attacks 
on  networks  and  the  Internet 
that  will  affect  everything  from 
banking  to  our  military’s  com¬ 
munications  structure. 

In  the  past  year,  attempts  to 
gain  unauthorized  access  to  the 
Army’s  networks  have  greatly 
increased — from  the  Melissa 
virus  to  computer  attacks 
against  the  Pentagon  by  an  Is¬ 
raeli  hacker  and  two  teenagers 
from  California.  The  Army  is 
now  placing  as  much  attention 
on  protecting  communications 
networks  as  it  spent  in  prepar¬ 
ing  for  the  rollover  to  the  year 
2000  (Y2K).  The  U.S.  Army  Sig¬ 
nal  Center,  Fort  Gordon,  Geor¬ 
gia,  has  responsibility  for  the 
combat  developments  of  tacti¬ 
cal,  strategic,  and  sustaining 
base  communications  systems 
and  the  security  systems  that 
protect  them.  The  Signal  Cen¬ 
ter  represents  the  warfighter  in 


the  development  of  informa¬ 
tion  assurance  (IA)  tactics, 
techniques,  and  procedures  to 
protect  our  tactical  networks 
from  our  enemies. 

During  a  recent  IA  Industry 
Day  Conference,  Lieutenant 
General  David  Kelley,  Director, 
Defense  Information  Systems 
Agency  (DISA),  stated  that  an 
“Information  Pearl  Harbor”  is 
imminent.  It  is  not  a  matter  of 
whether  such  an  attempt  will 
be  made,  but  when.  The  Signal 
Center  is  taking  this  new  threat 
into  consideration  as  the  Army 
migrates  to  the  Warfighter  In¬ 
formation  Network-Tactical 
(WIN-T),  which  will  replace 
the  Tri-Services  Tactical  Com¬ 
munications  (TRI-TAC)  and 
the  Mobile  Subscriber  Equip¬ 
ment  (MSE)  switch  systems. 

WIN-T  is  the  Army’s  Force 
XXI  command,  control,  com¬ 
munications,  computers,  intel¬ 
ligence,  surveillance,  and  re¬ 
connaissance  (C4ISR)  tactical 
communications  network,  and 
it  will  integrate  joint,  multina¬ 
tional,  commercial,  and  battle¬ 
field  networks  into  an  intranet 
that  provides  mobile,  secure, 
survivable,  and  multimedia 
seamless  connectivity  between 
all  elements  within  the  battle- 
space  from  theater  to  battalion 
level.  WIN-T’s  backbone  will 
support  multiple  security  lev¬ 
els  (MSL)— TOP  SECRET/Spe- 
cial  Compartmented  Informa¬ 
tion  (TS/SCI),  SECRET,  and 
Sensitive  but  Unclassified 
(SBU)— and  various  modes  of 
information,  including  voice, 
data,  video,  and  imagery. 


|  MAJ  Robert  Turk,  USA 
|j  CPT  Shawn  Hollingsworth,  USA 

Network-based  monitoring 
technology  within  the  Defense 
Information  Infrastructure 
(DII)  is  being  mandated  on  a 
large  scale  across  the  DoD. 
WIN-T  will  include  IA  security 
features  throughout  the  net¬ 
work  that  will  employ  the 
DoD’s  defense-in-depth  strate¬ 
gy  to  protect,  detect,  and  re¬ 
spond  to  attacks  on  the  mili¬ 
tary’s  information  systems.  IA 
offers  authentication  (verifica¬ 
tion  of  the  originator),  nonre¬ 
pudiation  (incontestable  proof 
of  participation) ,  availability 
(unimpeded  access  to  autho¬ 
rized  users) ,  confidentiality 
(protection  from  unauthorized 
disclosure),  and  integrity  (pro¬ 
tection  from  information  dam¬ 
age). 

The  layering  of  IA  technolo¬ 
gy  solutions  is  the  fundamental 
principle  of  the  defense-in¬ 
depth  strategy,  which  includes 
three  key  areas  of  protection: 
external  perimeter,  internal 
network,  and  local  computer 
hosts. 

Protected  electronic  perime¬ 
ters  are  needed  for  local  en¬ 
claves  because  many  end-user 
systems  have  little  built-in  pro¬ 
tection  against  external  access. 
These  systems  are  difficult  to 
administer  well  enough  to  pro¬ 
vide  an  effective  defense.  Pro¬ 
tected  perimeters  are  like  cas¬ 
tle  walls  and  gates,  which 
enable  professional  administra- 
continued  on  page  16 
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tors  to  control  flow  in  and  out. 
They  also  enable  traffic 
through  the  gate  to  enter  and 
leave  at  various  levels  during 
changing  information  condi¬ 
tions  and  allow  specific  ser¬ 
vices  to  be  deactivated  if  they 
come  under  successful  attack. 

The  external  perimeter  safe¬ 
guards  include  firewalls,  intru¬ 
sion  detection,  inline  encryp- 
tors,  and  where  necessary, 
physical  isolation.  Internal  net¬ 
work  protection  consists  of  a 
combination  of  security  guards, 


firewalls,  and/or  router  filter¬ 
ing  devices  to  serve  as  barriers 
between  echelons  and/or  func¬ 
tional  communities.  Host- 
based  monitoring  technologies 
can  detect  and  eradicate  mali¬ 
cious  software  (e.g.,  virus);  de¬ 
tect  software  changes;  check 
configuration  changes;  and 
generate  an  audit,  audit  reduc¬ 
tion,  and  audit  report. 

The  defense-in-depth  strate¬ 
gy  will  provide  a  robust  and  re¬ 
silient  infrastructure  designed 
to  limit,  contain,  and  repair 
damage  that  results  from  at¬ 
tacks.  Fundamental  criteria  of 


the  defense-in-depth  strategy  is 
that  no  single  attack  can  lead  to 
the  failure  of  a  critical  function 
and  that  no  critical  function  or 
system  is  protected  by  a  single 
protection  mechanism.  This 
strategy  is  a  key  element  in  the 
successful  implementation  of 
IA  in  the  WIN-T  network. 

The  illustration  below  de¬ 
picts  the  WIN-T’s  conceptual 
security  architecture,  which 
follows  the  layered  protection 
strategy.  Each  layer  will  consist 
of  a  different  configuration  of 
IA  tools  designed  to  prevent  a 
would-be  intruder  from  gaining 
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access  to  all  systems  by  defeat¬ 
ing  one  layer. 

External  Layer 
The  strongest  layer  of  pro¬ 
tection  in  the  network,  is  the 
first  line  of  defense  in  the  de- 
fense-in-depth  architecture. 
The  primary  focus  of  the 
perimeter  is  protecting  the  in¬ 
side  from  the  outside,  but  en¬ 
clave  boundaries  also  provide 
some  protection  against  mali¬ 
cious  insiders  (e.g.,  those  who 
use  the  enclave  to  launch  at¬ 
tacks).  Protection  measures  in¬ 
clude  firewalls,  filtering 
routers,  replication  servers, 
strong  authentication,  authen¬ 
tication  servers,  Internet  Proto¬ 
col  (IP)  security /virtual  private 
networks  (VPN),  and  measures 
to  defend  against  back  doors 
that  circumvent  firewalls,  such 
as  internal  use  of  cellular 
phones  or  modems  (e.g.,  send¬ 
ing  data  through  voice  public 
branch  exchanges).  The  exter¬ 
nal  layer  and  its  suite  of  IA 
equipment  will  interface  with 
external  connections,  such  as 
the  Secret  IP  Router  Network 
(SIPRNET) ,  SBU  IP  Router  Net¬ 
work  (NIPRNET),  and  Joint 
Worldwide  Intelligence  Com¬ 
munications  System  (JWICS) . 

Network  Layer 
This  layer  focuses  on  net¬ 
work-based  monitoring  (intru¬ 
sion  detection) ,  thereby  provid¬ 
ing  the  capability  to  identify 
attacks  and  suspicious  network 
activity.  It  captures  and  for¬ 
wards  event  data  to  a  prede¬ 
fined  IA  cell  or  the  Regional 
Computer  Response  Team 
(RCERT). 

User  Level 
Command  and  control  (C2) 
protect  tools  will  be  employed 
on  the  individual  host  worksta¬ 
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tions.  Host-based  monitoring 
will  reside  on  servers  and  end- 
user  systems  and  will  detect  at¬ 
tacks  against  individual  hosts. 
The  detect  capability  of  this 
type  of  monitoring  is  more 
fine-grained  than  network- 
based  monitoring  and  can  be 
the  best  line  of  defense  in  de¬ 
tecting  malicious  insiders. 
Local  host  protection  software 
consists  of  Transmission  Con¬ 
trol  Protocol  (TCP)  Wrappers 
for  individual  access  control,  a 
security  profile  inspector  (SPI) , 
a  Simple  Watch  (SWATCH)  for 
alerting  when  audit  anomalies 
occur  in  the  profile,  and 
McAfee  virus  protection.  This 
C2  package  is  the  last  line  of  de¬ 
fense  against  unauthorized  use 
and  entry. 

Voice  subscribers  will  be  able 
to  place  and  receive  secure 
telephone  calls  to  subscribers 
located  on  switched  networks 
that  incorporate  National  Secu¬ 
rity  Agency  (NSA)  Type  I-ap- 
proved  devices.  WIN-T  will  pro¬ 
vide  selected  users  with  a 
handheld  device  that  will  con¬ 
nect  via  terrestrial  and  avail¬ 
able  satellite  means  to  the  WIN- 
T  infrastructure,  and  via 
airborne  platforms  to  commu¬ 
nicate  within  the  area  of  opera¬ 
tions,  both  in  and  around  com¬ 
mand  posts/tactical  operations 
centers  (TOC) .  It  will  have  a  se¬ 
cure  (NSA-approved)  capability 
that  provides  voice,  data,  and 
video  communications. 

Another  form  of  IA  that  will 
be  available  to  the  user  is  the 
Public  Key  Infrastructure 
(PKI).  PKI  refers  to  the  frame¬ 
work  and  services  that  provide 
for  the  generation,  production, 
distribution,  control,  and  ac¬ 
counting  of  public  key  certifi¬ 
cates.  It  provides  critical  sup¬ 
port  to  security  applications 
providing  confidentiality,  au¬ 
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thentication  of  network  trans¬ 
actions,  data  integrity,  and  non¬ 
repudiation. 

WIN-T  is  not  designed  to 
counter  a  specific  threat.  How¬ 
ever,  certain  security  IA  com¬ 
ponents  are  designed  to  protect 
WIN-T  from  the  IW  threat.  As 
part  of  this  strategy,  IA  protects 
the  Army’s  C2  information  net¬ 
work  from  attempts  to  pene¬ 
trate  the  network  to  obtain,  dis¬ 
rupt,  or  manipulate  the 
resident  information.  It  allows 
simultaneous  access  and  pro¬ 
cessing  protection  for  users  at 
different  security  levels. 

IA  and  the  security  features 
within  the  WIN-T  network  will 
continue  to  change  after  the 
network  is  fielded  in  2005. 
Even  as  technology  evolves  and 
the  threat  changes,  the  Army 
must  continue  to  protect  its 
vital  communications  net¬ 
works.  A 
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■W*he  recent  “denial  of  ser- 
H  vice”  attacks  against 
America  Online,  Yahoo,  and 
other  ISP  and  Content 
Providers  suggests  that  comput¬ 
er  networks  are  vulnerable  to 
widespread  attack  from  a  vari¬ 
ety  of  adversaries.  Complicat¬ 
ing  these  issues  are  the  global 
nature  of  such  activities  and  the 
disparate  nature  of  the  kinds  of 
attacks  these  services  have  to 
guard  against. 

Critical  to  this  discussion  is 
the  fact  that  the  dispersal  of  the 
tookkits  available  to  hackers 
makes  it  all  but  certain  that 
sniffing  out,  tracking  down,  and 
eliminating  these  threats  will 
occupy  the  best  network  minds 
for  some  time  to  come. 

As  webmasters,  systems  ad¬ 
ministrators,  and  network  secu¬ 
rity  managers  rethink  the  prob¬ 
lem,  they  will,  out  of  necessity, 
focus  a  large  part  of  their  effort 
on  mitigating  virus  attacks— in 
all  their  forms. 

The  similarity  between  com¬ 
puter  network  systems  and  bio¬ 
logical  systems  is  uncanny. 
This  comparison  is  common 
both  within  Information  Tech¬ 
nology  publications  and  among 
users  of  computer  network  sys¬ 
tems.  Addressing  computer  net¬ 
works  as  living  systems  from 
the  standpoint  of  health  makes 


one  recognize  the  plethora  of 
vulnerabilities  that  exist.  One  of 
the  greatest  threats  to  the 
health  of  an  organization’s  com¬ 
puter  networks  is  computer 
viral  infections  or  contagion. 
Containing  these  contagion  and 
eradicating  them  before  the 
health  of  a  network  is  degraded 
requires  understanding  and 
real-time  vigilance  on  the  part 
of  users,  network  administra¬ 
tors  and  software  developers. 

The  Pathology  of 
Computer  Viruses 
A  computer  virus  is  a  pro¬ 
gram,  or  software  code,  de¬ 
signed  to  replicate  and  spread, 
generally  with  the  victim  being 
oblivious  to  its  existence.  The 
mere  mention  of  “computer 
virus"  sends  computer  novices 
and  experts  scrambling  to 
download  the  latest  update  of 
Norton,  McAfee,  or  IBM  anti¬ 
virus  software.  Their  reaction  is 
justified.  Every  large  corpora¬ 
tion  and  organization  has  expe¬ 
rienced  a  virus  infection — most 
experience  them  monthly.  Ac¬ 
cording  to  data  from  IBM’s  High 
Integrity  Computing  Laborato¬ 
ry,  corporations  with  1,000  or 
more  personal  computers  (PC) 
now  experience  a  virus  attack 
every  2  to  3  months— and  that 
frequency  will  likely  double  in 
a  year.1  The  number  of  virus  at¬ 
tacks  may  seem  unusually  high 
if  it  is  viewed  independently. 
However,  when  Symantec  Cor¬ 
poration  (a  supplier  of  DoD  an¬ 


tiviral  software)  defines  and  cat¬ 
egorizes  21,389  known  viruses 
and  McAfee  (the  other  supplier 
of  antiviral  software  to  DoD) 
categorizes  more  than  40,000 
viruses— the  number  of  virus 
attacks  is  put  in  a  new  light. 
These  viruses,  usually  benign 
or  annoying,  can  slow  perfor¬ 
mance,  absorb  resources, 
change  screen  displays  and  in 
the  end,  disrupt  or  deny  service 
to  such  an  extent  that  it  affects 
organizations’  bottom  line- 
profit  or  mission  accomplish¬ 
ment. 

Computer  viruses  come  from 
a  variety  of  sources  and  spread 
by  attaching  themselves  to 
other  programs  (e.g.,  word 
processors  or  spreadsheet  appli¬ 
cations)  or  to  the  boot  sector  of 
a  disk.  When  the  infected  file  is 
activated  or  executed,  or  when 
the  computer  is  started  from  an 
infected  disk,  the  virus  itself  is 
also  executed.  Viruses  can  also 
lurk  in  computer  memory, 
waiting  to  infect  the  next  pro¬ 
gram  that  is  activated,  or  the 
next  disk  that  is  accessed. 

Dataquest’s  1991  study  of 
major  U.S.  and  Canadian  com¬ 
puter  users  for  the  National 
Computer  Security  Association 
found  that  most  users  blame  in¬ 
fected  diskettes  (87  percent)  as 
the  source  of  a  virus.  Forty- 
three  percent  of  the  diskettes 
responsible  for  introducing  a 
virus  into  a  corporate  comput¬ 
ing  environment  were  brought 
from  home.  Nearly  three-quar- 
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ters  (71  percent)  of  infections 
occurred  in  a  networked  envi¬ 
ronment,  making  rapid  spread 
a  serious  risk.  Seven  percent  of 
computer  users  said  they  had 
acquired  their  virus  while 
downloading  software  from  an 
electronic  bulletin  board  ser¬ 
vice  or  Web  site.  Other  sources 
of  infected  diskettes  included 
demo  disks,  diagnostic  disks 
used  by  service  technicians, 
and  shrink-wrapped  software 
disks;  these  other  sources  con¬ 
tributed  6  percent  of  reported 
infections.2  Although  no  new 
statistics  are  currently  avail¬ 
able,  networking,  enterprise 
computing,  and  inter-organiza¬ 
tional  communications  are 
growing.  Accompanying  the 
growth  in  telecommuting  and 
networking  is  an  increase  in  in¬ 
fections. 

Viruses  are  growing  in  com¬ 
plexity  and  variety.  In  1986, 
there  were  just  four  known  PC 
viruses.  In  today’s  virus  rich  en¬ 
vironment,  more  than  three 
viruses  are  created  every  day, 
for  an  average  of  110  new  virus¬ 
es  created  in  a  typical  month. 
There  are  several  variations  of 
viruses,  but  there  are  only  three 
ways  that  a  virus  can  access  a 
system.  “Computer  Viruses: 
Past,  Present  and  Future”  de¬ 
scribes  these  three  methods  as 
follows: 

File  Viruses 

Most  of  the  thousands  of 
viruses  known  to  exist  are  file 
viruses,  including  the  Friday  the 
13th  virus.  These  viruses  infect 
files  by  attaching  themselves  to 
a  file,  generally  an  executable 
file— the  .EXE  and  .COM  files 
that  execute  applications  and 
programs.  The  virus  can  insert 
its  own  code  in  any  part  of  the 
file,  provided  it  changes  the 
host’s  code  somewhere  along 


the  way,  misdirecting  proper 
program  execution  so  that  it  ex¬ 
ecutes  the  virus  code  first, 
rather  than  the  legitimate  pro¬ 
gram.  When  the  file  is  executed, 
the  virus  is  executed  first. 

Boot  Sector  /  Parti¬ 
tion  Table  Viruses 

Although  there  are  only 
about  200  boot  sector  viruses, 
they  make  up  75  percent  of  all 
virus  infections.  Boot  sector 
viruses  include  Stoned,  the  most 
common  virus  of  all  time,  and 
Michelangelo,  perhaps  the  most 
notorious.  These  viruses  are  so 
prevalent  because  they  are  dif¬ 
ficult  to  detect.  They  do  not 
change  a  file’s  size  or  slow  PC 
performance,  so  they  are  fairly 
invisible  until  their  trigger 
event  occurs.  Events  such  as  re¬ 
formatting  a  hard  disk  or  scan¬ 
ning  a  disk  serve  as  a  trigger. 
The  boot  sector  virus  infects 
floppy  disks  and  hard  disks  by 
inserting  itself  into  the  boot  sec¬ 
tor  of  the  disk,  which  contains 
code  that  is  executed  during  the 
system  boot-up  process.  Boot¬ 
ing  from  an  infected  floppy  al¬ 
lows  the  virus  to  jump  to  the 
computer’s  hard  disk.  The  virus 
executes  first  and  gains  control 
of  the  system  boot  program 
code  even  before  the  operating 
system  (OS)  is  loaded.  Because 
the  virus  executes  before  the  OS 
is  loaded,  it  is  not  OS-specific 
and  can  infect  any  PC  operating 
system  platform— MS-DOS, 
Windows,  OS/2,  PC-NFS,  or 
Windows  NT.  The  virus  enters 
the  random  access  memory 
(RAM)  and  infects  eveiy  disk 
that  is  accessed  until  the  com¬ 
puter  is  rebooted  and  the  virus 
is  removed  from  memory.  Par¬ 
tition  table  viruses  attack  the 
hard  disk  partition  table  by 
moving  it  to  a  different  sector 
continuoij  on  page  20 


Trojan  Horse 

Like  its  classical  namesake,  the  Tro¬ 
jan  Horse  virus  typically  masquerades 
as  something  desirable;  e.g.,  a  legiti¬ 
mate  software  program.  The  Trojan 
Horse  generally  does  not  replicate  (al¬ 
though  researchers  have  discovered 
replicating  Trojan  Horses).  Rather,  it 
waits  until  its  trigger  event  and  then 
displays  a  message  or  destroys. files  or 
disks.  Alongside  the  Trojan  Horse  is  the 
Trojan  Mule,  which  fools  authorized 
users  into  giving  their  LOGIN  informa¬ 
tion.  passwords,  and  user-IDs.  Once  a 
user  types  in  the  valid  user-ID/pass- 
word  LOGIN  information,  the  virus 
sends  that  information  to  the  file  im¬ 
plemented  and  displays  a  LOGIN  error 
message.  As  the  authorized  user  re¬ 
types  the  information,  the  virus  has  al¬ 
ready  exited,  the  real  LOGIN  program 
regains  control,  and  the  user  never  sus¬ 
pects  that  LOGIN  information  has  been 
revealed.  The  difference  between  the 
dpfqjan  Horse  and  Trojan  Mule  viruses 
is  that  the  mule  does  not  even  try  to 
perform  a  useful  functipn  (e.g.,  game, 
application)  tad  it  disappears  from  the 
system  once  ifgylone  its  work,  whereas 
the  horse  remains  in  the  system  until  it 
is  cleaned  out.  :  4,e  -  • 

E|l,e  Ove  rw rite r s 
'  These  viruses  infect  files  by  linking 
themselves  to  a  program,  keeping  the 
original  code  intact  and  adding  them¬ 
selves  to  as  many  files  as  possible.  In¬ 
nocuous  versions  of  file  over-writers 
may  not  be  intended  to  do  anything 
more  than  replicate  but,  even  then, 
they  take  up  space  and  slow  perfor¬ 
mance.  And  because  file  over-writers, 
like  most  other  viruses,  are  often 
flawed,  they  can  damage  or  destroy 
files  inadvertently.  The  worst  file  over¬ 
writers  remain  hidden  only  until  their 
trigger  events.  Then  they  can  deliber¬ 
ately  destroy  files  and  disks. 
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Polymprphic  Viruses 
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s  viruses 

$  Engine, 
|fl|‘f  irus  creatoi's 
fp^jrbple  vnruses  into  poly- 
(Lqrifes.  ensures  that  polymor- 
|lS'yir*uses.  will  only  proliferate  over 
the  hext  few  years.  Like  the  human 
AIDS  virus,  which  mutates  frequently 
to  escape  detection  by  the  body's  de¬ 
fenses,  the  polymorphic  computer 
virus  mutates  to  escape  detection  by 
anti-virus  software  that  compares  it  to 
an  inventory  of  known  viruses.  Code 
within  the  virus  includes  an  encryp- 
tion  routine  to  help  the  virus , 
from  detection,  plus  a  decryption  rou¬ 
tine  to  restore  the  virus  to  its  original^ 
state  when  it  executes.  Polymorphic';:! 
viruses  can  infect  any  type  of  host 
software.  Although  polymorphic  file  . 
viruses  are  most  common,  poly m or-' 
phic  boot  sector  viruses  have  already 
been  discovered. 

Stealth  Viruses 

These  viruses  are  special^ 
neered  to  elude  detection  Jpy 
al  anti-virus  tools.  The  ’Stjij 
adds  itself  to  a  file  or  boo|  j 
when  the  host  software- isj 
appears  normal  and  uncf 
stealth  virus  performs  this 
lurking  in  memory  when  it|P§P^u^| 
ed.  There,  it  monitors  and  intefeept 
the  OS's  calls.  When  the  OS  seeksto*8 
open  an  infected  file,  the  stealth  virus 
races  ahead,  disinfects  the  file,  and  al¬ 
lows  the  OS  to  open  it  all  appears 
normal.  When  the  OS  closes  the  file, 
the  virus  reverses  these  actions,  there¬ 
by  re-infecting  the  file.  Bool  sector 
stealth  viruses  insert  themselves  in 
the  system's  boot  sector  and  relocate 
the  legitimate  boot  sector  code  to  an¬ 
other  part  of  the  disk.  When  the  sysjr:i 
tern  is  booted,  they  retrieve  theTt 
mate  code  and  pass 
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and  replacing  the  original  parti¬ 
tion  table  with  the  virus’  own 
infectious  code.  These  viruses 
spread  from  the  partition  table 
to  the  boot  sector  of  floppy 
disks  as  floppy  disks  are  ac¬ 
cessed. 

Multipartite  Viruses 

These  viruses  combine  the 
ugliest  features  of  both  file  and 
boot  sector/partition  table 
viruses.  They  can  infect  any  of 
these  host  software  compo¬ 
nents.  And  while  traditional 
boot  sector  viruses  spread  only 
from  infected  floppy  boot  disks, 
multi-partite  viruses  can  spread 
with  the  ease  of  a  file  virus— but 
they  still  insert  an  infection 
into  a  boot  sector  or  partition 
table.  This  tendency  makes 
them  particularly  difficult  to 
eradicate.  Tequila  is  an  example 
of  a  multi-partite  virus. 

Although  there  are  only 
three  ways  to  infect  a  system, 
there  are  hundreds  of  variations 
of  viruses.  The  sidebars  (pages 
17  through  21)  contain  descrip¬ 
tions  of  virus  variations  taken 
from  “Computer  Viruses:  Past, 
Present  and  Future,”  “Demysti¬ 
fying  Computer  Viruses,"  and 
“Computer  Security  Basics." 
This  list  is  not  all-inclusive,  but 
it  describes  some  of  the  com¬ 
mon  variations  to  date. 

Viruses  affect  computers  and 
networks  differently.  The  pur¬ 
pose  of  most  viruses  is  to  re¬ 
main  undetected,  thereby  al¬ 
lowing  them  to  spread 
throughout  the  organization 
until  they  degrade  performance 
or  destroy  data.  Most  viruses 
give  no  symptoms  of  their  in¬ 
fection,  thus  driving  the  use  of 
anti-virus  tools.  Anti-virus  tools 
allow  users  to  identify  these 
quiet  killers.  However,  many 
viruses  are  flawed  and  do  pro¬ 
vide  some  tip-offs  to  their  infec¬ 
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tion.  Here  are  some  indications 
to  watch  for:3 

•  Changes  in  the  length  of  pro¬ 
grams 

•  Changes  in  the  file  date  or 
time  stamp 

•  Longer  program  load  times 

•  Slower  system  operation 

•  Reduced  memory  or  disk 
space 

•  Bad  sectors  on  the  floppy 

•  Unusual  error  messages 

•  Unusual  screen  activity 

•  Failed  program  execution 

•  Failed  system  boot-ups  when 
booting  or  accidentally  boot¬ 
ing  from  the  A:  drive 

•  Unexpected  writes  to  a  drive. 

This  list  of  virus  variations 
and  symptoms  is  not  all-inclu¬ 
sive.  Additional  information 
can  be  found  at  the  following 
Web  sites:4 

•  http://www.rootshell.com 
(exploits) 

•  http://www.insecure.org/ 
sploits.html  (exploits) 

•  http://ciac.llnl.gov/ciac/ 
CIACVirusDatabase.html 
(virus  information) 

•  http://www.snafu.de/ 
—madokan/mvic/viruscont. 
html  (virus  creators) 

•  http://www.symantec.com/ 
avcenter/index.html  (virus 
information) 

•  http://vil.mcafee.com  (virus 
information) 

•  http://www.virusbtn.com 
(virus  information) 

The  viruses  discussed  above 
are  only  the  most  common  vari¬ 
ations  of  computer  viruses  and 
their  symptoms.  Computer 
viruses  have  cost  companies 
worldwide  nearly  $2  billion 
since  1990,  with  those  costs  ac¬ 
celerating  to  $1.9  billion  in 
1994.  This  cost  is  directly  relat¬ 
ed  to  virus  cleanup,  not  loss  of 
profit.  Profit  loss  caused  by 
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viruses  is  impossible  to  calcu¬ 
late.  Organizations  are  combat¬ 
ing  the  virus  problem  with  anti¬ 
virus  software.  The  cost  of  this 
software  is  expected  to  grow 
from  $700  million  in  1997  to 
$2.6  billion  by  2001. 5 

So  what  can  an  organization 
do  to  prevent  computer  viral  in¬ 
fections,  and  what  is  the  best  re¬ 
sponse  in  the  event  of  an  infec¬ 
tion?  These  questions  are  best 
answered  by  analyzing  a  real 
event.  This  event  is  current  and 
represents  the  best  possible  re¬ 
sponse  to  date  by  the  Federal 
Government,  DoD,  and  indus¬ 
try.  As  reported  by  SANS  (Sys¬ 
tem  Administration,  Network¬ 
ing,  and  Security)  Institute,  the 
response  of  these  organizations 
was  “impressive.” 

Containing  Contagion: 
A  Case  Study 

History  will  remember  sever¬ 
al  notable  landings:  the  landing 
of  the  lunar  module  on  June  20, 
1969;  the  landing  of  ET  the  ex¬ 
traterrestrial  in  movie  cinemas 
in  1982;  the  landing  of  Mark 
McGwire  in  record  books  with 
his  70th  home  run  in  Septem¬ 
ber  1998;  and  the  landing  of 
Melissa  in  commercial,  mili¬ 
tary,  educational,  and  home 
PCs  on  March  26,  1999. 

One  might  ask,  “Who  is  Melis¬ 
sa?"  The  question  is  in  fact, 
“What  is  Melissa?"  Melissa  is  a 
virus,  conceivably  the  fastest 
spreading  virus  PCs  have  seen 
since  the  infamous  Morris 
Worm,  which  infected  more 
than  6,000  computers  in  a  mat¬ 
ter  of  hours  (ftp://coast.  cs.pur- 
due.edu/ pub/doc/morris_wor 
m/GAO-rpt.txt)  in  November 
1988.  By  March  30,  1999,  Melis¬ 
sa  had  successfully  infected 
about  70,000  E-mails.  It  was  the 
first  virus  to  have  prompted 
Federal  law  enforcement  to 


send  out  a  warning  about  com¬ 
puter  viruses;  the  Federal  Bu¬ 
reau  of  Investigation  (FBI) 
joined  with  the  National  Infra¬ 
structure  Protection  Center 
(NIPC)  to  issue  a  warning  in  an¬ 
ticipation  of  the  tidal  wave  of  E- 
mails  that  Melissa  was  expected 
to  generate. 

Melissa  is  a  macro  virus, 
which  means  that  its  infectious 
code  is  resident  in  a  macro  (a 
symbol,  name,  or  key  that  rep¬ 
resents  a  list  of  commands,  ac¬ 
tions,  or  keystrokes)  contained 
in  a  Microsoft  Word  document 
(see  right  side  bar).  In  Melissa’s 
case,  the  macro  has  instructions 
to  disable  macro  detection  ca¬ 
pabilities,  read  the  first  50 
names  in  a  recipient’s  Microsoft 
Oudook  address  book,  and  for¬ 
ward  itself  as  an  attachment  to 
those  individuals,  or  groups  of 
individuals.  When  this  forward¬ 
ed  E-mail  message  is  received 
and  opened,  the  macro  begins 
again  its  cycle  of  E-mail  genera¬ 
tion,  thus  bogging  down  and  po¬ 
tentially  crashing  mail  servers 
through  its  exponential  rate  of 
infection.  This  type  of  attack  is 
known  as  a  denial  of  service. 

While  the  shutdown  of  elec¬ 
tronic  mail  servers  is  destruc¬ 
tive  enough,  there  is  at  least 
one  other  potentially  hazardous 
result  of  this  virus.  Melissa  is 
spread  through  a  Microsoft 
Word  document.  However,  this 
virus  is  constructed  in  such  a 
way  that  it  infects  whatever 
document  is  open  at  the  time 
the  infected  attachment  is  dis¬ 
played,  and  that  document  is 
the  one  that  is  forwarded  with 
the  virus.  Imagine  this  sce¬ 
nario:  You  are  typing  a  classi¬ 
fied  document  when  you  re¬ 
ceive  Melissa.  When  you  open 
the  attachment,  i.e.,  the  macro 
virus,  it  now  places  itself  on 
continued  on  page  22 


accomplish  the  bool.  Under  examina¬ 
tion,  the  boot  sector  appears  normal, 
but  the  boot  sector  is  not  in  its  normal 
location. 

Macro  Viruses 

Macros  are,  in  essence,  mini-pro¬ 
grams  that  Lake  much  of  the  legwork 
out  of  repetitive  or  template-oriented 
documents.  For  example,  to -rhihimize 
the  work  involved  in  typing  the  date  in 
correspondence,  a  user  could  program 
a  macro  to  insert  the  day,  month,  and 
year  all  at  once  when  the  letter  “D”  is 
typed.  Macro  viruses  are  carried  in  the 
types  of  data  files  that  business  com¬ 
puter  users  most  often  exchange:  word 
processed  documents  and  spread¬ 
sheets.  Also,  because  these  data  files 
are  often  exchanged  by  E-mail,  they 
sometimes  bypass  the  checks  that 
virus-aware  organizations  already  have 
in  place;  Experts  estimate  that  40  per¬ 
cent  of  virus  attacks  are  made  this 
ggjf&y.  Macro  viruses  are  created  with 
the  aid  of  the  macro  routines  con¬ 
tained  within  all  word  processing  and 
spreadsheet  applicatioi r  software,  such 
as  Microsoft  pjppd'-and  Excel.  They  at¬ 
tach  them^elps  to  any  document  files 
that  it^ttie  the  macro  code,  so  that 
they$l»4$ien  be  executed  through  the 
application  software!  The  whole  pur¬ 
pose  of  macro  languages  is  to  insert 
useful  functions  into  documents, 
which  are  then  executed  as  the  docu¬ 
ments  are  opened.  This  is  what  makes 
macro  viruses  easy  to  write.  But  one  of 
the  reasons  they  have  become  so 
prevalent  is  the  success  of  Microsoft 
Office,  which  has  80  percent  of  the 
global  market  for  integrated  pack 
ages— a  tempting  target  for  macro 
virus  writers. 

Memory- Resident 
Viruses 

The  memory  resident  characteristic 
is  the  most  common  among  viruses. 
When  viruses  load  into  memory  via  a 
host  application,  they  remain  in  mem¬ 
ory'  until  the  computer  is  turned  off.  At 
continued  on  the  sidebar  of  page  22 
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this  stage  of  their  existence,  viruses 
can  easily  replicate  into  boot  sectors 

applica- 


>ry-Resident 
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se  Vituses  can  infect  the  system 

only  when  the  host  application  is  run¬ 
ning  When  the  host  application  is 
closed,  the  virus  is  closed  down  as 
well.  Therefore,  if  applications  are 
opened  after  a  host  application  is 
closed,  there  is  no  danger  of  infecting 
the  system  with  that  specific  virus  at 
that  time.  y " 'y 

Companion  Viruses 

To  understand  this  characteristic,  it 
is  helpful  to  have  a  basic  understand-  yj 
ing  of  the  sequential  order  of  how  sys¬ 
tem  files  work.  In  launching  an  exe¬ 
cutable  file,  either  the  user  manually.;,.; 
issues  a  command  or  the  interface 
ecutes  a  command.  Most  applications 
have  a  file-type  (FT)  extension  of 
’  .EXE.  When  invoking  these  ,cc£ 
mands.  the  user  or  the  compuj 
lets  the  name  of  the  applicatf 
out  the  extension.  The||if 
executes  other  systerny^p^^ 
same  name  before  executir 
application’s  FT.  A  com] 
creates  a  name  that  mat^BS 
file  name  but  with  a  dirfert 
sion  (e.g.,  *.COM).  The  AEXEjSHfeke- 
cutes:  however,  the  *.COM  (infqptedl 
file)  launches  first  and  infects  the  sys¬ 
tem.  Most  antiviral  software  packages 
can  identify  this  characteristic. 


Bomb 

A  bomb  is  a  type  of  Trojan  Horse 
that  is  used  to  release  a  virus,  a  worm, 
or  some  other  system  attack.  It  is  ei¬ 
ther  an  independent  program  or  a 
piece  of  code  that  lias  been  planted  by  , 
a  system  developer  or  a  progranjiyiSr^'' 
A  bomb  works  by  triggering  ,  some  | 
kind  of  unauthorized  acticK^wnSt 
particular  date,  time,  |fp^dfticg 

continued  on  tin 


your  already  opened  Word  doc¬ 
ument  and  forwards  THAT  doc¬ 
ument  to  the  first  50  addressees 
in  your  address  book. 

Several  aspects  of  this  virus 
have  helped  its  seemingly  glob¬ 
al  proliferation.  One  of  the 
most  significant  aspects  is  its 
use  of  a  user’s  own  address 
book  to  forward  the  infectious 
E-mail.  This  means  that  an  or¬ 
dinary  user,  who  would  be  sus¬ 
picious  of  E-mail  from  an  un¬ 
known  source,  receives  the 
virus  as  if  a  friend,  co-worker, 
family  member,  etc.  sent  it, 
thereby  instilling  a  false  sense 
of  security.  In  addition,  this 
virus  is  spread  with  the  help  of 
Microsoft  Word  and  Microsoft 
Outlook,  two  programs  that  are 
resident  in  a  vast  majority  of 
PCs  today  due  to  the  over¬ 
whelming  popularity  of  Mi¬ 
crosoft  Office.6 

The  DoD’s  and  Services’  In¬ 
formation  Assurance  processes 
helped  ensure  that  Melissa 's  im¬ 
pact  on  DoD  and  the  Services 
was  minimal.  The  Army  began 
,  receiving  the  virus  shortly  be- 
|  fore  5:00  p.m.  on  Friday,  March 
I  26,  1999.  Half  an  hour  later,  the 
Army  Computer  Emergency 
|  Response  Team  (ACERT)  began 
receiving  notices  from  its  Re¬ 
gional  CERTs  (RCERT),  and  by 
6:00  a.m.,  the  virus  had  spread 
throughout  DoD  systems  world¬ 
wide. 

Once  users  began  receiving 
E-mail  from  known  acquain¬ 
tances  but  with  an  “out-of-char¬ 
acter”  attachment,  they  began 
contacting  their  local  systems 
administrators  who,  in  turn, 
alerted  the  ACERT  at  Ft. 
Belvoir,  Virginia,  and  the  tech¬ 
nical  support  staff  at  Microsoft 
(which  created  the  software  the 
virus  was  designed  to  run  on), 
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gj|i  and  McAfee  and  Norton,  two 
‘  '  anti-virus  companies.  After  the 
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virus  was  discovered,  a  restric¬ 
tion  was  placed  on  the  size  of  E- 
mail  attachments.  A  message 
was  distributed  to  all  E-mail 
users,  instructing  them  to  not 
open  attachments  or  enable 
macros  in  Microsoft  Word  docu¬ 
ments  they  received  via  E-mail 
unless  they  were  sure  of  the 
document’s  origin. 

Working  in  concert  with  in¬ 
dustry,  Government  officials 
were  able  to  detect  and  attack 
the  virus  and  implement  fixes 
that  were  distributed  to  systems 
administrators  and  users  in 
record  time.  RCERTs  went  to  a 
heightened  level  of  manage¬ 
ment  and  detection,  and  the 
Army  Signal  Command  direct¬ 
ed  the  information  manage¬ 
ment  officials  at  18  major  facili¬ 
ties  to  scan  E-mail  servers  using 
an  application  received  from 
Microsoft  and  delete  E-mail 
traffic  infected  with  the  virus. 
Throughout  the  night,  ACERT 
coordinated  reports,  orchestrat¬ 
ed  solutions  to  the  virus  with 
McAfee  and  Norton,  and  assist¬ 
ed  system  administrators  with 
installing  fixes.  By  Monday, 
March  29,  1999,  the  virus  was 
contained  and  eradication  was 
well  on  its  way.  This  reaction 
established  a  process  termed 
“Positive  Control,”  and  the 
proactive  efforts  of  all  involved 
made  this  rapid  containment 
happen,  along  with  the  close 
cooperation  with  the  software 
industry.7 

Disinfecting  Melissa  was  ac¬ 
tually  a  fairly  simple  process, 
even  if  labor  intensive.  Ordinar¬ 
ily,  the  fix  would  have  merely 
involved  retrieving  the  latest 
virus  definitions  from  a  rep¬ 
utable  virus-scanning  source, 
such  as  Norton  or  McAfee,  and 
scanning  client  and  server  hard 
drives.  The  glitch  in  Melissa’s 
case  was  that  these  virus-scan- 
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ners  were  caught  relatively  off 
guard  with  this  virus.  Normally, 
anti-virus  software  companies 
know  about  new  viruses  long 
before  they  are  released  and, 
therefore,  are  able  to  release 
updated  virus  definitions  to 
their  clients  before  the  danger 
arrives.  For  some  reason,  Melis¬ 
sa  was  kept  under  close  wraps 
until  its  release  on  March  26.  In 
the  end,  the  damage  caused  by 
Melissa  will  be  measured  in  the 
millions  of  dollars.  But  the 
lessons  learned  from  this  attack 
are  being  institutionalized.  Con¬ 
tagion  in  cyberspace  can  be 
contained.  A 
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cm's.  There  are  two  types  of  bombs: 
time  and  logic.  A  time  bomb  is  set  to 
go  off  on  a  particular  date  or  after 
some  period  of  time  has  elapsed.  The 
Friday  Lhe  13th  virus  was  a  lime  bomb. 
A  logic  bomb  is  one  that  is  set  to  go  off 
when  a  particular  event  occurs.  Soft¬ 
ware  developers  have  been  known  to 
explode  logic  bombs  at  key  moments 
after  installation— if.  for  example,  tlie 
customer  fails  to  pay  a  bill  or  tries  to; 
make  an  illicit  copy. 

Spoof 

This  is  a  generic  name  for  a  pro¬ 
gram  that  tricks  unsuspecting  users 
into  giving  away  privileges.  Often,  the 
spoof  is  perpetrated  by  a  Trojan  Horse 
mechanism  in  which  an  authorized 
user  is  tricked  into  inadvertently  run¬ 
ning  an  unauthorized  program.  The 
program  then  takes  on  the  privileges 
of  the  user  and  may  run  amok. 


Bacteria 

These  are  programs  that  do  nothing 
but  make  copies  of  themselves,  but  by 
doing  so  they  will  eventually  use  up  all 
system  resouffces-1  (i.e..  memory,  disk 
space).  -j; 

RabtMs  ■ 

.This  is  another  name  for  rapidly  re¬ 
producing  programs. 


Crabs 

These  programs  attack  the.  display 
of  data  on  computer  terminal  screens. 


Salami 

Salami  slices  away  (rather  than 
hacking  away)  Liny  pieces  of  data.  For 
example,  salami  alters  one  or  two 
numbers  or  a  decimal  point  in  a  file,  or 
it  shaves  a  penny  off  a  customer's  bank 
interest  calculations  and  deposits  the 
pennies  in  the  intruder's  account. 
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The  U.S.  Military  Academy 
(USMA)  at  West  Point 
confronts  a  novel  information 
age  challenge— to  balance  the 
needs  of  a  dynamic,  technolo¬ 
gy-rich  undergraduate  experi¬ 
ence  for  4,000  cadets  with  the 
availability,  security,  and  inter¬ 
operability  concerns  for  an  en¬ 
terprise  local  area  network 
(LAN)  operating  within  the  De¬ 
partment  of  Defense  (DoD) 
network  infrastructure.  Despite 


Figure  1.  Work  at  a  Z-248,  circa  1988. 

resource,  technology,  and  cul¬ 
ture  challenges,  this  balancing 
act  has  been  unusually  success¬ 
ful  over  an  evolution  spanning 
the  10  years  since  the  USMA 
network  was  created  in  1989. 
Perhaps  surprisingly,  cadets’ 
education  benefits  from  the 
moderate  discipline  imposed 
by  operating  the  network  in  ac¬ 
cordance  with  DoD  require¬ 
ments  and  professional  best 
practices.  Typical  university 
data  networks,  by  contrast,  op¬ 
erate  as  mostly  unfettered  ser¬ 
vices  in  which  almost  “any¬ 


thing  goes"  with  regard  to  hard¬ 
ware,  software,  protocols,  and 
modes  of  use.  Although  this  ap¬ 
proach  affords  great  individual 
freedom,  its  overall  effect  may 
be  to  reduce  network  useful¬ 
ness.  Recent  trends  in  campus 
computing  seem  to  be  drawing 
the  rest  of  academe  closer  to 
the  computing  model  em¬ 
ployed  at  West  Point. 

West  Point  occupies  a  rare 
crossroads  of  “.edu”  and  “.mil” 
domains.  This  is  literal  in  the 
sense  that  many  network  hosts 
have  names  in  each  domain. 
Browsing  www.usma.army.mil 
will  take  a  virtual  visitor  to  the 
same  place  as  www.usma.edu 
and  www.westpoint.edu.  The 
Academy  is  first  and  foremost  a 
primary  commissioning  source 
for  Army  officers.  It  is  an  Army 
post,  and  the  post  network  is  an 
Army  information  system.  “Dot 
mil”  naming  and  conformance 
to  DoD/Department  of  the 
Army  (DA)  standards  is  expect¬ 
ed  and  required.  However,  West 
Point  is  also  a  tier  I,  accredited 
academic  institution  with 
strong  ties  to  the  academic 
community  for  research  and 
other  professional  exchanges. 
Military  and  civilian  faculty 
members  find  that  in  some  set¬ 
tings,  an  “.edu”  address  commu¬ 
nicates  the  seriousness  with 
which  the  USMA  views  its  role 
in  undergraduate  teaching, 
learning,  and  research. 

Attracting  the  best  qualified 
of  American’s  high  school  grad¬ 
uating  class  each  year  is  an  es¬ 
sential  aspect  of  the  West  Point 
program.  Among  bright,  knowl¬ 


edgeable  high  school  students, 
sophisticated  technological  in¬ 
frastructure  is  high  on  the  list 
of  criteria  for  college  choices. 
After  admission,  cadet  families 
expect  and  deserve  electronic 
mail  (E-mail)  and  other  elec¬ 
tronic  contact  with  their  cadets. 
It  follows  that  a  principle  of  in¬ 
formation  assurance  (IA)  at 
West  Point  is  to  support  tech¬ 
nology  programs  and  systems 
that  meet  the  expectations  of 
diverse  clients  outside  the  gate. 
Connecting  with  the  American 
public  is  essential  to  fulfilling 
its  institutional  mission,  so 
West  Point  can  seldom  afford  to 
escape  risk  by  reducing  access. 

The  military/ educational  du¬ 
ality  continues  inside  the  gate. 
Inquiry  is  the  soul  of  learning, 
and  inquiry  has  increasingly 
come  to  involve  innovative 
uses  of  technology.  The  com¬ 
puting  environment  at  West 
Point  must  provide  cadet  stu¬ 
dents  and  faculty  members  the 
freedom  to  experiment  with 
hardware  and  software  and  to 
exchange  information  world¬ 
wide  with  great  convenience 
while  still  providing  informa¬ 
tion  assurance.  Cadets  pur¬ 
chase  their  own  computers  and 
software  much  as  they  do  text¬ 
books  and  other  tools  of  the 
academic  program,  so  they 
have  a  reasonable  expectation 
of  control  over  their  computers’ 
configuration.  On  the  other 
hand,  the  USMA  network  is  a 
military  facility  where  official 
business  takes  precedence.  The 
Army  reasonably  expects  to  en¬ 
force  usage  policies  and  config- 
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uration  management  of  net¬ 
work  resources. 

To  be  sure,  universities  and 
colleges  share  many  of  USMA’s 
challenges.  Although  few  have 
a  dual  presence  on  the  Inter¬ 
net,  each  campus  has  business 
to  conduct  in  security  and  with 
high  reliability  while  also  pro¬ 
viding  academic  freedom  of  in¬ 
quiry.  Educating  students  on 
acceptable  use  of  technology 
facilities  is  a  shared  concern. 
Students  everywhere  stay  on 
the  leading  edge  of  new  infor¬ 
mation  services.  Downloadable 
software  of  all  varieties, 


pie,  all  cadet  computers  must 
currently  run  WindowsNT  as 
their  operating  system  when 
connected  to  the  network,  and 
except  for  selected  individuals, 
users  may  not  exercise  full  ad¬ 
ministrator  privileges. 

Acceptance  of  these  limita¬ 
tions  is  a  modest  sacrifice  for 
the  services  provided  in  return: 
Internet  and  intranet  access; 
shared  files,  printers,  and  pub¬ 
lic  bulletin  boards;  and  stan¬ 
dard  directory  and  E-mail  facil¬ 
ities.  Configuration  standards 
at  West  Point  allow  the  orga- 


Computer  Emergency  Re¬ 
sponse  Team  [ACERT]  alerts), 
software  upgrades,  and  neces¬ 
sary  configuration  changes  are 
dispensed  each  time  cadets  log 
in  to  their  network  accounts. 
Army  intrusion  detectors  alert 
USMA  technicians  to  Internet 
attacks  on  cadet  computers. 
Teams  are  usually  able  to  clear 
or  repair  any  damage  before 
the  cadet  knows  what  has  hap¬ 
pened.  The  latest  cadet  com¬ 
puters  include  hardware  fea¬ 
tures  for  central  monitoring 
that  have  averted  significant 
maintenance  problems. 


music  in  “MP3”  (com¬ 
pressed)  form,  and  elec¬ 
tronic  stock  trading  il-  H 
lustrate  developments  l] 
that  have  put  college  of-  g 
ficials  in  catch-up 
mode,  deciding  what 
students  can  properly 
and  legally  do,  deter¬ 
mining  their  own  legal 
and  ethical  institutional 
responsibilities,  and  fig-  fj 
uring  out  how  to  en¬ 
force  their  policies. 

USMA  differs  from  its 
peer  academic  institu¬ 
tions  in  the  way  it  con¬ 
fronts  IA  challenges.  A 
key  example  is  the 
USMA  approach  to  stu¬ 
dent  computing.  Al¬ 
though  cadets  do  own  and  pay 
for  their  computers,  the  config¬ 
uration  is  standard,  chosen 


Figure  2.  typical  cadet  work  space 
today. 


Technical  support  is 
another  difference. 
Most  American  stu¬ 
dents  come  to  college 
with  a  computer  of  their 
own  choosing.  To  an  un¬ 
comfortable  degree, 
they  must  fend  for 
themselves  in  solving 
software,  hardware,  and 
configuration  problems. 
Some  institutions  are 
currently  finding  that 
students  on  stipend  can 
fill  some  of  this  gap  in 
technology  support. 
West  Point  has  made 
cadet  Information  Sys¬ 
tems  Officers  (ISO)  part 
of  the  Corps  of  Cadet 
chain  of  command  for 
more  than  a  decade.  A  small 
team  of  government  techni¬ 
cians  mentors  ISOs  in  a  range 


through  a  “best  value”  competi-  nized  planning  and  delivery  of  of  system  administration  tasks 

tive  government  solicitation,  a  wide  spectrum  of  services,  a  considered  to  be  second  eche- 

with  software  installed  in  ad-  range  exceeding  that  at  most  Ion”  support  (forgotten  pass- 

vance.  Although  some  disk  schools.  A  current  project  will  words,  installation  of  hardware 

space  is  reserved  for  cadets  to  provide  each  cadet  with  a  high  drivers,  and  the  like).  This 

configure  however  they  reliability  network  home  direc-  structure  provides  an  excep- 

choose,  a  precondition  for  tory  that  is  Web-accessible  via  tional  developmental  experi- 

physical  connection  to  the  Hypertext  Transfer  Protocol  ence  for  the  ISOs  and  an  effec- 

USMA  network  is  use  of  a  gov-  (HTTP) .  IA  measures,  such  as  tive,  zero-dollar  (although  not 

ernment-installed,  controlled,  antivirus  software  updates,  op-  zero  person-hour)  source  of 

managed,  and  monitored  oper-  erating  system  patches  (often  support.  Government  and  con- 

ating  environment.  For  exam-  issued  in  response  to  Army  continued  on  page  26 
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tract  personnel  perform  more 
sophisticated  repairs.  All  cadets 
take  a  one-semester  course  in 
computing  fundamentals  in 
their  first  year.  Additionally, 
each  year  as  many  as  20  per¬ 
cent  of  cadets  select  academic 
majors  or  sequences  (minors) 
in  disciplines  directly  related  to 
information  technologies,  pro¬ 
viding  a  level  of  expertise  to 
classmates  who  share  their  liv¬ 
ing  areas  not  found  at  many 
other  institutions. 

The  ethical  and  moral  as¬ 
pects  of  cadet  development 
programs  are  another  essential 
part  of  IA  at  West  Point.  Inside 
the  West  Point  firewall,  designs 
to  safeguard  systems  and  data 
are  able  to  assume  that  mali¬ 


cious  intent  on  the  part  of  users 
is  a  rare— and  readily  punish¬ 
able-occurrence.  Cadets  are 
instructed  to  consider  technol¬ 
ogy  system  abuses  to  be  failings 
of  personal  conduct  or  ethics. 
In  short,  USMA’s  students  are 
asked  and  required  to  be  part  of 
the  IA  effort.  West  Point’s  in¬ 
tranet  security  intends  to  “keep 
honest  people  honest”  and  to 
detect  the  occasional  outlying 
bad  behavior.  On  the  other 
hand,  most  campus  network 


designers  frequently  have  no 
choice  but  to  assume  that  many 
students  will  intentionally 
abuse  institutional  systems. 
The  Athena  project  at  the  Mass¬ 
achusetts  Institute  of  Technolo¬ 
gy  (MIT)  and  the  proliferation 
of  virtual  LANs  and  other  elab¬ 
orate  security  control  mecha¬ 
nisms  on  campuses  stand  as  ex¬ 
amples. 

The  upshot  of  USMA’s  meth¬ 
ods  is  better  education  and 
training  for  cadets.  On  any 
given  day,  approximately  99.6 
percent  of  cadet  computers  are 
available  on  the  USMA  net¬ 
work.  At  other  institutions,  the 
popularity  of  campus-wide  stu¬ 
dent  computer  purchase  pro¬ 
grams  is  growing.  These  often 


include  limited  standard  con¬ 
figuration  efforts.  However,  few 
published  data  measure  overall 
availability  statistics.  Whereas 
most  campuses  sport  an  eclec¬ 
tic  array  of  standards,  West 
Point  cadet,  faculty,  and  staff 
computers  run  identical  E- 
mail,  office  suite,  mathematics, 
and  multimedia  software,  al¬ 
lowing  faculty  members  to  give 
instructions  and  assignments 
that  incorporate  configuration 
details.  Technology  support 


and  security  costs  are  reduced, 
so  available  dollars  can  be  fo¬ 
cused  on  improving  capabili¬ 
ties  rather  than  on  security  and 
middle  ware.  Although  cadets 
do  not  have  complete  freedom 
to  connect  devices  and  run  dis¬ 
approved  software  in  the  USMA 
network  environment,  cadets 
with  bona  fide  educational 
needs  to  operate  nonstandard 
configurations  are  able  to  do  so 
in  controlled  circumstances 
under  the  guidance  of  a  faculty 
mentor. 

The  lessons  of  experience 
are  somewhat  counterintuitive. 
The  military  and  government 
environment  of  education  at 
West  Point  benefit  its  cadet  stu¬ 
dents  rather  than  detracting 
from  their  experience.  A  com¬ 
prehensive  approach  to  IA  for 
student  computing  is  part  of 
the  solution,  rather  than  a 
problem  to  be  solved,  d 


Lieutenant  Colonel  Eugene  K.  Ressler, 
Jr.,  is  Professor  of  Computer  Science  and 
Associate  Dean  for  Information  and 
Educational  Technology  at  the  United 
States  Military  Academy  (USMA)  at  West 
Point,  New  York.  He  has  served  as  an 
Army  engineer  and  computer  scientist  in 
various  assignments.  He  graduated  from 
the  USMA  in  1978  and  received  a  mas¬ 
ters  degree  in  computer  science  from  the 
University  of  California  at  Berkeley  in 
1984  and  a  Ph.D.  in  computer  science 
from  Cornell  University  in  1993.  He  may 
be  reached  at  ressler@usma.edu. 
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the  Department  of  Electrical  Engineering 
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graduate  of  USMA  and  received  his  mas¬ 
ter’s  and  Ph.D.  degrees  in  computer  and 
systems  engineering  from  Rensselaer 
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In  Pursuit  of  the  "Trustworthy" 
Enterprise 

1  H  Mr.  Sean  P.  O'Neil 


Editor’s  Note:  Inclusion  of 
this  product  within  the 
IAnewsletter  does  not  consti¬ 
tute  as  an  endorsement  by 
IATAC  or  DoD. 

Today’s  consumers  may  be 
immediately  concerned 
with  protecting  their  Visa  card 
numbers  during  on-line  pur¬ 
chases,  and  until  just  a  few 
weeks  ago,  government  infor¬ 
mation  technology  (IT)  man¬ 
agers  were  primarily  obsessed 
with  exterminating  the  year 
2000  (Y2K)  bug.  However,  indi¬ 
viduals  in  both  private  and  pub¬ 
lic  sectors  feel  growing  appre¬ 
hension  about  security  threats 
from  the  Internet. 

Shared  Concerns-— In¬ 
side  and  Outside  the 
Beltway 

Citizens  and  government 
managers  alike  recognize  not 
only  the  potential  dangers 
posed  by  hackers,  computer 
virus  writers,  Web  saboteurs, 
and  other  Internet  attackers, 
but  also  the  need  to  increase 
the  soundness  of  overall  Inter¬ 
net  security  infrastructure. 

Just  as  businesses  and  con¬ 
sumers  are  beginning  to  tap  the 
Internet’s  potential  for  electron¬ 
ic  commerce  (e-commerce) 
purposes,  government  agencies 
are  leveraging  the  power  of  the 
Web  to  deliver  enhanced  ser¬ 
vices  and  information.  Howev¬ 
er,  with  the  efficiencies  offered 
by  the  Internet  come  opportu¬ 
nities  for  disaster.  As  the  world 
rushes  into  the  Internet  age,  the 
opportunities  for  security 
breaches  and  cyber  terrorism 
continue  to  escalate. 


The  Internet  opens  the  e- 
commerce  door  to  millions  of 
users,  while  simultaneously  ex¬ 
posing  Web  sites  and  placing  at 
risk  invaluable  corporate  data, 
mission-critical  business  appli¬ 
cations,  and  consumers’  confi¬ 
dential  information.  Web-en¬ 
abling  technologies  also  have 
the  potential  to  compromise  the 
integrity  of  government  net¬ 
works  and  crucial  defense  re¬ 
sources.  The  Internet  may  soon 
serve,  in  effect,  to  launch  com¬ 
mercial  hijackings  and  cyber 
terrorism  directed  against  the 
U.S.  national  infrastructures. 

A  Real  and  Imminent. 
Danger 

According  to  the  FBI,  the  av¬ 
erage  American  corporation 
will  experience  a  major  elec¬ 
tronic  intrusion  once  every  2 
years.  On  the  government  side, 
the  General  Accounting  Office 
has  warned  that  federal  govern¬ 
ment  systems  such  as  tax  col¬ 
lection,  national  defense,  and 
air  traffic  control  networks  may 
face  serious  threats  of  severe 
disruption  unless  adequate  de¬ 


fense  measures  are  quickly  put 
in  place. 

Fortunately,  sophisticated 
tools  are  now  available  to  pro¬ 
tect  E-commerce  transactions, 
IT  assets,  and  network  re¬ 
sources.  The  most  powerful  of 
these  e-commerce  security 
tools  are  equally  effective  in 
sensitive  government  IT  envi¬ 
ronments— where  property  and 
lives  are  at  stake,  not  just  dol¬ 
lars  and  credit  ratings. 

Computer  Associates  Inter¬ 
national,  Inc.,  (CA)  has  devel¬ 
oped  such  a  tool.  Its  eTrust  se¬ 
curity  solutions  are  used  at 
government  and  commercial 
sites  to  safeguard  information 
and  maintain  the  integrity  of 
vital  enterprise  resources. 
eTrust  protects  mission-critical 
IT  resources  and  offers  broad 
functionality,  including  risk  as¬ 
sessment,  attack  detection,  and 
consolidated  administration  of 
policy  and  audit  trails.  eTrust 
solutions  can  also  be  scaled  to 
suit  an  environment  of  any  size. 

Government  agencies  and 
commercial  entities  deploy 
eTrust  as  either  stand-alone 
products  or  as  a  comprehensive 
security  suite.  eTrust  was  de¬ 
signed  to  be  used  with  CA’s  Uni¬ 
center  TNG  enterprise  manage¬ 
ment  solution,  thus  offering  IT 
managers  a  consistent  ap¬ 
proach  to  building,  deploying, 
and  managing  security  as  part 
of  the  larger  IT  administration 
and  control  task. 

By  supporting  and  exploiting 
security  features  of  the  OS/390, 
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UNIX,  and  Windows  NT  operat¬ 
ing  systems  and  applications, 
eTrust’s  open,  expandable  ar¬ 
chitecture  allows  organizations 
to  leverage  their  existing  tech¬ 
nology  investments.  Public  key 
infrastructure  (PKI),  LDAP,  and 
smart-card  products  are  a  few  of 
the  standards-based  technolo¬ 
gies  used  by  Global  2000  cus¬ 
tomers  and  government  clients 
in  conjunction  with  CA’s  enter¬ 
prise  management  and  security 
products. 

When  the  Firewalls 
Come  Tumbling 
Down 

Together  with  network  intru¬ 
sion  detection  systems,  fire¬ 
walls  have  traditionally  provid¬ 
ed  first-level  defense  against 
external  attacks.  However, 
holes  must  be  punched  through 
firewalls  to  grant  legitimate  ac¬ 
cess  to  Web-enabled  applica¬ 
tions.  Implementing  these  ap¬ 
plications  concurrently 

provides  an  opportunity  for 
hackers  to  exploit  application  or 
server  vulnerabilities  and 
breach  security  controls. 

Equally  disconcerting  is  the 
fact  that  moving  to  e-commerce 
and  Internet-enabled  environ¬ 
ments  has  done  nothing  to 
eliminate  traditional  security 
threats.  On  the  contrary,  these 
developments  have  escalated 
vulnerabilities  by  increasing 
the  number  of  people  with  ac¬ 
cess  to  specific  internal  ser¬ 
vices.  For  these  reasons,  con¬ 
ventional  security  devices  are 
no  longer  effective  by  them¬ 
selves.  Simultaneously  imple¬ 
menting  several  stand-alone  se¬ 
curity  tools  is  also  ineffective 
because  it  results  in  a  patch- 
work  solution  that  leaves  weak 
spots  unprotected. 
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Protecting  Against 
Security  Threats  on 
All  Fronts 

Using  eTrust,  CA  has  part¬ 
nered  with  government  and 
commercial  customers  to  pro¬ 
vide  a  complete  security  solu¬ 
tion  tailored  to  specific  require¬ 
ments  and  organization  goals,  a 
solution  that  supports  Internet 
use  and  also  protects  the  infra¬ 
structure.  Tight  integration 
among  eTrust  offerings  gives 
government  agencies  and  busi¬ 
ness  organizations  enter¬ 
prisewide  security  and  also  al¬ 
lows  them  to  adopt 
incrementally  eTrust  solutions 
that  seamlessly  work  with  one 
another.  Solutions  include— 

•  eTrust  Access  Control,  which 
provides  policy-based  control 
to  determine  who  can  access 
specific  systems,  what  they 
can  do  with  them,  and  when 
access  is  allowed 

•  eTrust  Admin,  which  simpli¬ 
fies  user  and  resource  admin¬ 
istration,  reducing  its  com¬ 
plexity,  expense,  and  suscep¬ 
tibility  to  error 

•  eTrust  Audit,  which  collects 
enterprisewide  security  and 
system  audit  information 

•  eTrust  Content  Inspection, 
which  safeguards  systems 
connected  to  the  Internet 
from  malicious  code  attacks 

•  eTrust  Directory,  which 
ensures  high  performance 
and  reliability  of  critical 
directory  service  applications 

•  eTrust  Encryption,  which 

seamlessly  safeguards  infor¬ 
mation  against  intrusion  as  it 
is  transferred  across  a 
Transmission  Control 

Protocol  /Internet  Protocol 
(TCP/IP)  network 

•  eTrust  OCSPro,  which  pro¬ 
vides  a  scalable,  distributed 
Online  Certificate  Status 
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Protocol  (OCSP)  responder 
implementation,  giving  client 
applications  the  current  sta¬ 
tus  of  a  digital  certificate 
from  a  trusted  authority  in 
real  time 

•  eTrust  Firewall,  which  con¬ 
trols  Internet,  intranet,  and 
extranet  access  to  mission- 
critical  applications,  exclud¬ 
ing  unauthorized  users 

•  eTrust  Intrusion  Detection, 
which  delivers  advanced  net¬ 
work  protection  and  includes 
an  integrated  antivirus 
engine  with  automatic  signa¬ 
ture  updates 

•  eTrust  Policy  Compliance, 
which  enables  organizations 
to  protect  against  unautho¬ 
rized  usage  or  attacks  by 
identifying  potential  weak 
points  in  security  policies, 
automatically  generating  cor¬ 
rections,  and  constantly  mon¬ 
itoring  the  network 

•  eTrust  VPN,  which  delivers 
secure  Internet  communica¬ 
tions  and  safeguards  all  virtu¬ 
al  private  network  (VPN) 
uses. 

CA  also  offers  a  Security  In¬ 
tegrity  Services  (SIS)  portfolio, 
which  includes  a  complete 
range  of  consulting  services  for 
security  assessment,  policy  de¬ 
velopment,  product  installa¬ 
tion,  support,  implementation, 
and  outsourcing.  For  further  in¬ 
formation  on  CA’s  eTrust  prod¬ 
ucts  and  services,  see 
http:  /  /  www. cai.com/  solu- 
tions/enterprise/etrust.  6 
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M.B.A.  from  Dowling  College,  as  well  as 
a  B.A.  in  English  from  State  University  of 
New  York  at  Albany.  He  may  be  reached 
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Third  International  Information 
Hiding  Workshop 


IATAC  recently  attended  the 
Third  International  Informa¬ 
tion  Hiding  Workshop  in  Dres¬ 
den,  Germany.  This  workshop 
is  the  primary  forum  for  scien¬ 
tists  engaged  in  the  field  of  In¬ 
formation  Hiding  techniques, 


including  steganography  and 
digital  watermarking.  The 
workshop  focused  on  algo¬ 
rithms  and  techniques,  rather 
than  on  systems  and  policy. 
The  information  presented  at 
this  workshop  is  intended  to 


I  Mr.  Robert  P.  Thompson 
Director,  IATAC 

provide  a  comprehensive  view 
of  the  current  state-of-the-art  in 
data  embedding  research. 

Conference  sessions  were 
separated  into  steganography 
and  watermarking  tracks.  The 
steganography  track  was  divid¬ 
ed  into  sessions  on  fundamen¬ 
tals,  paradigms  and  examples, 
asymmetric  steganography,  en¬ 
gineering,  and  attacks.  The  wa¬ 
termarking  track  featured  ses¬ 
sions  on  proofs  of  ownership, 
detection  and  decoding,  water¬ 
marking  techniques,  protecting 
private  and  public  watermark¬ 
ing  information,  new  designs, 
robustness,  and  software  and 
hardware  protection. 

The  steganography  sessions 
illustrated  that  steganography 
research  is  improving,  and  cer¬ 
tain  institutions  are  gaining  ex¬ 
pertise,  along  with  more  opera¬ 
tional  insight  than  is  usually 
expected  in  academia.  In  gener¬ 
al,  steganography  is  designed  to 
make  it  more  difficult  to  detect 
embedded  data.  Researchers 
and  developers  are  beginning  to 
make  more  realistic  assump¬ 
tions  about  host  data  files;  many 
are  stating  that  initial  assump¬ 
tions  about  Least  Significant  Bit 
(LSB)  substitution  appear  to  be 
false  and  the  security  of  these 
techniques  is  questionable.  Al¬ 
gorithm  developers  are  paying 
more  careful  attention  to  where 
to  hide  data,  focusing  on  areas 


Figure  1.  Watermarking  System 
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